[HTB] Grandpa

alt text nmap scan result shows that there is one open port, which is the port 80 and the version it’s running is is Microsoft IIS httpd 6.0.


alt text Nothing interesting on the web page of the target ip address.


alt text I searched for a known exploit of the Microsoft IIS 6.0 version with Searchsploit.


alt text CVE-2017-7269, also known as the ScStoragePathFromUrl exploit seemed like a good choice in this case. Under its description it said it allowes remote attackers to execute arbitrary code. That’s exactly what I was interested in.


alt text


alt text looking up the CVE on the msfconsole.


alt text configuring the options of the exploit.


alt text The exploit successfully ran and I got the meterpreter shell.


alt text However, the current user’s capability was very limited that I was not able to enumerate any information. Definitely in need for a privilege escalation.


alt text In previous machines, I remember using the local_exploit_suggester module located under post/multi/recon for post-exploitation.


alt text Out of the many exploits it returned, there were six potentially vulnerable exploits I could use. I decided to use the ms10_015_kitrap0d exploit because I had used it before.


alt text


alt text Contrary to my expectations, the exploit did not work. The error kept returning “Access is denied”.


alt text Tried another exploit and the result was the same.


alt text Back to the meterpreter shell, I ran the ps command to see what processes are running on the target system. The current process that our meterpreter payload is running on is the rundll32.exe and its PID is 3724. As you could see from the screenshot above, the User column of the process is empty, meaning the payload has no idea who the user is.

In order to stabilize and properly run the post-exploit, I decided to migrate from the current process to another process which has the admin user.


alt text Migrated from the pid 3724 to 1880.


alt text After migrating to another process, I backgrounded the session again to carry out another attempt at privilege escalation. This time I used another exploit named ms14_070_tcpip_ioctl.


alt text Finally the exploitation was successful and all commands worked properly without error.


alt text got the user flag.


alt text got the root flag.


alt text

#Hack The Box