Hackthebox Writeup for grandpa

Reconnaissance

The nmap scan reveals that the server is running IIS httpd 6.0 and few http methods are allowed.

Enumeration

On visiting the site, it says under construction,

Since http methods are allowed, use webdav like granny machine,

Looks like PUT method is disabled !

So next, we use searchsploit to check for webdav IIS 6.0 vulnerabilities.

The first one provides code execution, so we use it

set the LHOST and RHOSTS options and run the exploit

Grab the meterpreter session

Spawn shell

For some reason, the shell is not stable, so we migrate to another process thats running with the same privilage.

From the OffsecPage

Using the migrate post module, you can migrate to another process on the victim, which means the shell will execute from the context of that process.

Privilege Escalation

For priv esc, background the current session

The background command

The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt. To get back to your Meterpreter session, just interact with it again ex. “ sessions -i 1 “

And get the flags

Skills learnt from this box

I learnt, use of meterpreter from this box, things like migrating to a process, backgrounding a session and getting it back.