This is my next blog on my experience of exploiting the machine Granny from Hack The Box. This is another easy machine of Windows Operating System with the IP address of 10.10.10.15.
The first step is the process of reconnaissance that can help us find the vulnerable open ports that can be exploited from the machine for privilege escalation.
Upon scanning we find that the port 80 is open with the Microsoft IIS web server running on it. In order to find the possible exploit we further search on the IIS 6.0 vulnerabilities.
With the searchsploit we find there are multiple exploits that are possible and out of this, we choose the remote buffer overflow method that can be useful in obtaining the shell easily.
For this searching the exploit on google I found that it has a metasploit exploit and so proceeding on this further we get the possible results.
For using this exploit, we use the msfconsole.
We proceed to get the user shell based on the searched exploit.
Setting up the essential options for the exploit, we exploit the machine for the shell.
Here we got the user shell. But this hopefully would not be sufficient for the user shell. So we are trying for some higher privilege escalation.
For this, we first need to find the privilege escalation vector that can be obtained from the local_exploit_suggester as we are currently in the meterpreter shell.
This suggester has listed us 6 possible exploits that can be used in getting admin shell
We then list all the process in the shell and find the most compatible process from the same.
With the process ID that we need we just try migrating from the current process to the process that can be exploited.
Then upon selection of the particular exploit we proceed from the options that can be used.
Upon exploitation, we finally get the shell for the administrator.
We don't find anything useful here.
Upon finding the user we find the user flag,
So, our first flag is done!!!
Next is the privilege escalation to the administrator that can be helpful in obtaining the root flag.
Yipee... The root flag is obtained.
