Hack The Box

HackTheBox “Grandpa” Walkthrough

Grandpa is an easy Windows Hack The Box machine centered on an IIS 6 WebDAV buffer-overflow path and subsequent privilege escalation.

HackTheBox “Grandpa” Walkthrough, figure 1

Grandpa, an easy-level Windows OS machine on HackTheBox, revolves around leveraging a specific vulnerability within the IIS version 6, commonly known as a WebDAV buffer overflow exploit. By manipulating this weakness, we can gain unauthorized access to the target system. Furthermore, the privilege escalation stage involves leveraging a vulnerability in the Windows WMI service, allowing us to elevate our privileges and gain greater control over the compromised machine.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Grandpa” Walkthrough, figure 2

Visit the site.

HackTheBox “Grandpa” Walkthrough, figure 3

Let’s hop into searchsploit to look for exploits affecting IIS 6.0 WebDAV.

HackTheBox “Grandpa” Walkthrough, figure 4

We will conduct a Google search to explore alternative versions of the first exploit in the results of searchsploit as it failed to work with me here.

HackTheBox “Grandpa” Walkthrough, figure 5

We will go with the Python script here and have a look at it to gain insights into the prerequisites for this exploit.

HackTheBox “Grandpa” Walkthrough, figure 6

Download it to our attack box.

HackTheBox “Grandpa” Walkthrough, figure 7

Add the shebang line to the location of our python interpreter.

HackTheBox “Grandpa” Walkthrough, figure 8

Launch our listener.

HackTheBox “Grandpa” Walkthrough, figure 9

Launching the exploit.

HackTheBox “Grandpa” Walkthrough, figure 10

And we have a shell.

HackTheBox “Grandpa” Walkthrough, figure 11

We are going to need to escalate our privileges here as we have limited access rights, let’s check which privileges have been assigned to this account.

HackTheBox “Grandpa” Walkthrough, figure 12

Let’s also have a look at the system’s information.

HackTheBox “Grandpa” Walkthrough, figure 13

Having SEImpersonalPrivilege enabled on the target machine and running Windows 2003 with IIS 6.0, means that we are lucky to utilize Token Kidnapping exploit and have a system shell.

Download the binary file of the exploit here to our attack box.

HackTheBox “Grandpa” Walkthrough, figure 14

We will create a “temp” directory within the C partition of the target machine.

HackTheBox “Grandpa” Walkthrough, figure 15

As “certutil.exe” failed to download the exploit via an HTTP server, we will deploy an SMB server from our attack box’s working directory to transfer “Netcat” and “Churrasco.exe”.

HackTheBox “Grandpa” Walkthrough, figure 16

Copy “Netcat” and “Churrasco.exe”.

HackTheBox “Grandpa” Walkthrough, figure 17

Launch a listener on our attack box.

HackTheBox “Grandpa” Walkthrough, figure 18

Proceed with executing the command below to establish a connection back to our attack box using “Netcat”.

HackTheBox “Grandpa” Walkthrough, figure 19

And we get a system shell on our listener.

HackTheBox “Grandpa” Walkthrough, figure 20

Cheers.