Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.
Enumerating the machine
We see everything is being done on port 80 on this machine. Lets navigate to the site
Nothing of note. Lets gobuster it
/images produces this message
Dead end. From here I went back to our nmap scan results. Searched for IIS 6.0 and received these results
There are a few good results in here to test. After working through some of the searchsploit results, the Webdav scstoragepathfromURL remote buffer overflow appears to be the one we want to utilize.
From here instead of going the manual route, I launched from metasploit.
Setting our options, we launch and get a meterpreter session!
With the meterpreter session, we are unable to access the user (Harry’s) desktop to get the user flag.
We are going to need to escalate privileges. So lets background our session and try and utilize the local_exploit_suggester module in metasploit.
None of the exploits listed seemed to work due to “access denied”.
Jumped backed into the meterpreter session and decided to migrate to a different process to test
Doing this and testing again with the module exploit/windows/local/ms14_058_track_popup_menu seemed to work!
From here we just need to navigate to the user desktop and the admin desktop and we have our flags!
