Hack The Box — Grandpa Writeup without Metasploit

Grandpa is another easy machine. Machine has vulnerable IIS version running. That version can easily be exploited using one of the publicly available exploits and obtain a low privilege shell which can be escalated to root or NT_Authority using Churrasco.

Enumeration

Began with usual Nmap scan

Nmap revealed that this machine has Windows 2003 which has IIS running that allows functions like PUT, DELETE and MOVE.

This can be confirmed via CURL also.

Getting initial footage

Cloned the exploit from Github and exploited while the NC is listening.

Privilege escalation

Ran the windows exploit suggester.

This machine is vulnerable to churrasco which can be exploited as below.

Transferred the Churrasco.exe to Interpub folder in the target machine, which is writable

Confirmed the exploit was working by running the following command.

Executed the exploit as below.

Lessons learned

This machine should have been updated when the patches were made available to prevent any compromises.

14 boxes are down!