Saturday, February 2, 2019

Grandpa


GRANDPA

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Grandpa, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu

2 - ENUMERATION

Grandpa's IP is 10.10.10.14:




- Scanning with Nmap:




- Scanning deeply the only open port 80, we learn that the web server is running Microsoft IIS httpd 6.0:




3 - EXPLOITATION

So Grandpa is running IIS 6.0 on port 80, what can be exploited by these exploits:





- Actually there is a Metasploit module for this specific exploit:








- Let's try the exploit:






- Setting Grandpa's IP as RHOST and checking the vulnerability:




- Because we had some problems running the exploit, let's expand both MAX and MIN path lenghts up to the interval 1 to 300:



- Running the exploit there is a successful Meterpreter session:





- Getting information about the system:





- However, it seems that the Meterpreter session is limited:





4 - PRIVILEGE ESCALATION

- Let's migrate to a higher elevated process:








- Backgrounding the session:




- Looking for local escalation privilege exploits for SESSION 1:




- The last one seems to be interesting:




- Launching the exploit for SESSION 1:




- However when running it fails, and the reason is clear: it has taken by default the Kali's non-VPN interface's IP:





- Resetting LHOST and LPORT:





- Expanding the WAIT period up to 60 seconds:




- Running the exploit we get another successful Meterpreter session, in this case with System privileges:






5 - CAPTURING THE FLAGS

- Spawning a shell:




- Reading the 1st flag user.txt:





- Reading the 2nd flag root.txt: