Hack the Box Challenge: Granny Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Granny” which is categories as retired lab presented by Hack the Box for making online penetration practices. Challenges in this lab are not hard to complete although they are like a brain teaser for the beginner as well as for expert penetration tester too. 

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Granny is so let’s initiate with nmap port enumeration.

From the given below image, you can observe we found port 80 is open and Microsoft IIS 6.0 is running in victim’s network.

Significant port 80 is open in the victim’s network we preferred to explore his IP in the browser and resulting web page is shown below.

Since we know Microsoft IIS httpd 6.0 is running in victims system therefore when I Google I found Rapid 7 exploit for this as highlighted in given below image.

Without wasting time I open a new terminal and type msfconsole for loading Metasploit framework and use module iis_webdav for exploiting targets system.

From given below image you can observe meterpreter shell session1 opened for accessing victim tty shell.

Every time my meterpreter session get died therefore I go post exploitation for migrating current process into another process by executing the following module.

Above module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with the last option as highlighted in the image.

At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.

Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.

As we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.

Here we found Document and setting let’s explore

Inside C:\Document and Setting\Lakis\Desktop I found the user.txt file and used the type “filename” command for reading this file.

Great!! We got our 1st flag successfully

Inside C:\Document and Setting\Administrtator\Desktop I found the root.txt file and used the type “filename” command for reading this file.

Great!! We got our 2nd flag successfully

Breaching this lab was an interesting and enjoyable moment for me. It will take less time if you are aware of proper Metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.

Happy Hacking!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

2 Comments Hack the Box Challenge: Granny Walkthrough

  1. Mukarram

    msf exploit(windows/iis/iis_webdav_upload_asp) > set rhost
    rhost =>
    msf exploit(windows/iis/iis_webdav_upload_asp) > run

    [*] Started reverse TCP handler on
    [*] Checking /metasploit106997395.asp
    [*] Uploading 612556 bytes to /metasploit106997395.txt…
    [-] Upload failed on /metasploit106997395.txt [500 Internal Server Error]
    [*] Exploit completed, but no session was created.

    Any idea of above failed?


Leave a Reply

Your email address will not be published. Required fields are marked *