HTB: Granny Writeup w/o Metasploit
Recon
This was another box we did during a live session. It was a lot of fun and very informative. The first thing we did was kick off our nmap scan. This time we did a manual nmap scan to illustrate how nmap works. We only found one port open (80).
Since port 80 is open, it’s safe to browse to the site to see what’s there.
Enumeration
After browsing to the site, it shows some extra information regarding the service its running which is a vulnerability in itself. But the page did not give us anything we can use to get a shell. So what’s next? Google Kung Fu. We took what we found from our nmap scan to to find more information on the target.
Googling the service information (Microsoft IIS httpd 6.0), we find from the nmap output gives us a few exploits and we tried one, but it did not work. We really didn’t give it a chance to work because I wasn’t sure if I was using it right then abandoned it for something else. But we could've gotten it to work if we swapped out the shell code with something pointing back to us.
Exploitation
The exploit we did use to get a shell is here.
You can see how we exploited the box to get a shell in the screenshots above. Now that we have backend access, we want to escalate our privileges. The systeminfo command showed the operating system version was a Windows 2003 server.
Privilege Escalation
We did more Google Kung Fu on Windows 2003 and the first thing that popped up was a token kidnapping exploit. Reading it reminded me of the juicy potato exploit, and the account did have those token privileges to conduct the juicy potato exploit.
We used the token kidnapping lpe to escalate our privileges to admin. We were able to do it using this git repo here. We used the executable in that repo, and a shell.exe payload we created using msfvenom. smbserver.py (python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .) was started to host those (churrasco.exe, shell.exe) files for us so we can copy them over to the victim (granny) machine. Keep in mind, we needed to be in Windows\TEMP directory to copy files. And once our files were there, we used the “churrasco.exe” file to execute our shell.exe payload. This returned a shell with elevated privileges.
Conclusion
From here you can capture your flags. This was a fun box and a great one to use for learning purposes. We grabbed our initial shell because of a IIS 6.0 vulnerability. Afterwards we escalated our access to system privileges due to the server being an end of life system (Windows 2003 Server). Hopefully you enjoyed this writeup. Here is a link to the video walkthrough. Thank you!
