Hackthebox Writeup for grandpa
Reconnaissance
The nmap scan reveals that the server is running IIS httpd 6.0 and few http methods are allowed.
Enumeration
On visiting the site, it says under construction,
Since http methods are allowed, use webdav like granny machine,
Looks like PUT method is disabled !
So next, we use searchsploit to check for webdav IIS 6.0 vulnerabilities.
The first one provides code execution, so we use it
set the LHOST and RHOSTS options and run the exploit
Grab the meterpreter session
Spawn shell
For some reason, the shell is not stable, so we migrate to another process thats running with the same privilage.
From the OffsecPage
Using the migrate post module, you can migrate to another process on the victim, which means the shell will execute from the context of that process.
Privilege Escalation
For priv esc, background the current session
The background command
The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt. To get back to your Meterpreter session, just interact with it again ex. “ sessions -i 1 “
And get the flags
Skills learnt from this box
I learnt, use of meterpreter from this box, things like migrating to a process, backgrounding a session and getting it back.