search

Granny HTB

IP

10.10.10.15

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.15 | cut -d"/" -f1 | tr '\n' ','

Looks like we have one port open on the machine

80

Lets get enumerate further and see if we can find any other details

sudo nmap -sCV -p80 -oA nmap_scan 10.10.10.15

results

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Date: Tue, 02 Jan 2024 02:37:59 GMT
|   WebDAV type: Unknown
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We can see

  • Running Microsoft IIS httpd 6.0 (pretty outdated)

  • webdav is enabled

This does look very familiar to the grandpa box we have solved recently meaning i can try the same explaoit and gain a shell on the system

  1. Lets start a listner

  1. lets run the exploit script

Looking back at our listener we can see we have a shell on the target

Since we know that the grandpa box was vulnerable to token manipulation good chances we have the same scenario here lets check

Looks like it so Lets upload

  • nc.exe

  • churrasco.exe

  1. start an smb server and transfer all the files across

  1. copy the files across to the target machine

  1. start a listener

  1. run the exploits

Now if we look back at our listner we should see we have a shell as nt authority\system

PreviousBuff HTBNextGrandpa HTB

Last updated