HTB Grandpa (Metasploit)
HTB Grandpa Walkthrough
Lets start out by doing a simple nmap scan

We can see that there is only one port open (80), so lets go check it out

It looks as if this is the only page we can see, so lets rerun the nmap scan but dig a little deeper

From this scan we can see that Microsoft IIS 6.0 is running. Lets open up Metasploit and see if we can find anything

Opening up msfconsole and using its search feature got us a few options. Lets use option 2

After filling in all the needed options you can run check and doing so it says that this server is vulnerable to this exploit, so lets run it!

Success! We were able to get a Meterpreter session. I tried running getuid to see who I was, but did not have the correct privilege so lets run PS and see if we can migrate.

Getting Root
I was able to migrate over to a different service and can now run getuid. As you can see I am only NT AUTHORITY\NETWORK SERVICE we still need to up our privilege to system so lets run Metasploits Suggester and see if we can use one of the built in exploits

Suggester returned a handful of exploits to try, so lets try and use the bottom one first.

I use the exploit suggested and input the required info and run it.

After running it the first time I was not able to get a reverse shell, but I know that Metasploit can be a little finicky some times so I ran it a second time and was successfully able to escalate my self to NT AUTHORITY\SYSTEM. From this I was able to grab the user flag and root flag.
Filed under: HTB,Metasploit - @ July 23, 2021 4:42 am
Tags: HTB, Metasploit