Hack The Box — Grandpa Writeup without Metasploit
Grandpa is another easy machine. Machine has vulnerable IIS version running. That version can easily be exploited using one of the publicly available exploits and obtain a low privilege shell which can be escalated to root or NT_Authority using Churrasco.
Enumeration
Began with usual Nmap scan
Nmap revealed that this machine has Windows 2003 which has IIS running that allows functions like PUT, DELETE and MOVE.
This can be confirmed via CURL also.
Getting initial footage
Cloned the exploit from Github and exploited while the NC is listening.
Privilege escalation
Ran the windows exploit suggester.
This machine is vulnerable to churrasco which can be exploited as below.
Transferred the Churrasco.exe to Interpub folder in the target machine, which is writable
Confirmed the exploit was working by running the following command.
Executed the exploit as below.
Lessons learned
This machine should have been updated when the patches were made available to prevent any compromises.
14 boxes are down!