Cracking Granny, HackTheBox without Metasploit.

Recon

The IP of the box is 10.10.10.15, let’s do our regular recon.

We can understand that this is a Windows system and MS IIS http 6.0 running at port 80.

What is Microsoft IIS?

This is a web server that runs on MS .NET platform. In the scan it shows that many methods are allowed like PUT and COPY to name a few.

Gaining Access

We can put a reverse shell in the server and try to login using that, but we do have to check which all file types are allowed by the server.

I will be using davtest, this tool can be used to identify which all file types are accepted by the server.

Since this is a .NET server we need to send the reverse shell as a .aspx file. But the server doesn’t allow transfer of aspx file, still .txt and .html are supported.

Also during the first scan it’s clear that the server allows multiple methods, this can be used to our advantage.

Creating the reverse shell ‘foothold’ with file type aspx and changing it to a txt file.

Time to send it to the server.

That worked, now to change the filename back to .aspx.

Running a listener at port 53

Using curl to open the reverse shell.

And we got access to the system.

It’s immediately obvious that the user doesn’t have Admin privileges. Time to find a way to do privilege escalation.

More Recon

A tool called Windows-Exploit-Suggester is available, this compares the system with the Microsoft Vulnerability database to find missing patches. In order to scan the system info needs to be provided.

That is a lot of vulnerabilites, now to pick one.

Since this is an IIS server, I am going to try the MS09–20. The exploit is present in this repo. I will send the file to server in the same way as the reverse shell.

Now to check if it works! Logging into the server.

Yes, I got root access.

To get the shell with root privilege was pretty easy 😂

Flags

That is how I solved Granny. Took me some time but was worth it!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store