HTB Grandpa Walkthrough
Lets start out by doing a simple nmap scan
We can see that there is only one port open (80), so lets go check it out
It looks as if this is the only page we can see, so lets rerun the nmap scan but dig a little deeper
From this scan we can see that Microsoft IIS 6.0 is running. Lets open up Metasploit and see if we can find anything
Opening up msfconsole and using its search feature got us a few options. Lets use option 2
After filling in all the needed options you can run check and doing so it says that this server is vulnerable to this exploit, so lets run it!
Success! We were able to get a Meterpreter session. I tried running getuid to see who I was, but did not have the correct privilege so lets run PS and see if we can migrate.
I was able to migrate over to a different service and can now run getuid. As you can see I am only NT AUTHORITY\NETWORK SERVICE we still need to up our privilege to system so lets run Metasploits Suggester and see if we can use one of the built in exploits
Suggester returned a handful of exploits to try, so lets try and use the bottom one first.
I use the exploit suggested and input the required info and run it.
After running it the first time I was not able to get a reverse shell, but I know that Metasploit can be a little finicky some times so I ran it a second time and was successfully able to escalate my self to NT AUTHORITY\SYSTEM. From this I was able to grab the user flag and root flag.
- @ July 23, 2021 4:42 am