In this Hack the Box Grandpa walkthrough you will see why Grandpa is an easy Windows box. I recently rooted Jerry so check that out as well.
If you are looking for OSCP like boxes then look no further this one does at least satisfy that functionality. The only issue there is that using Meterpreter is the only practical way of exploiting the box unfortunately.
There also seems to be a timing mechanism involved in exploiting and finding the root flag. The Meterpreter session died almost at a specified interval of time. This made me work quickly to not have to repeat steps which happened several times.
Table of Contents
Initial Remote Enumeration
To get things started I run an nmap scan. Nothing special here I am checking for all ports -p- and looking for service enumeration -sV which is a useful mix of exhaustive search and look for practical results.
nmap -p- -sV 10.10.10.14
There is one service running. AutoRecon confirms as much.
The vulnerability is in Microsoft IIS 6.0 as seen in the CVE-2017-7269.
Vulnerability: Microsoft IIS WebDav ‘ScStoragePathFromUrl’ Remote Buffer Overflow
Exploit Microsoft IIS 6.0
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
exploit
So how do we get around this and get root access? You could try bypass UAC module but instead I will try the post module migrate. The way this works is it spawns a new process one which is semi conspicuous, notepad.exe and injects code into that new process. This allows for control of that process and the new user context surrounding that transition. Meaning it could allow for escaping the restricted user access from before.
Privilege Escalation
sessions -i 1
use post/windows/manage/migrate
At this point the current user privilege is for the NT AUTHORITY\NetworkService account. This is not the NT Authority\System user account!
One of the tools that is useful for this type of scenario is Metasploit’s local exploit suggester module. Checking the output of the module’s execution suggests vulnerability to local exploits. One such exploit is MS14-070 tcpip ioctl and it is the one I proceed with.
Proceeding with the new exploit I supply the module with the current meterpreter session and run it.
use exploit/windows/local/ms14_070_tcpip_ioctl
The exploit says exploitation was successful however it says it failed to create a new session. Regardless of this the new user is the root Windows user account.
Capture the root flag
The final flag can be accessed by changing to the directory of C:\Documents and Settings\Administrator\Desktop and viewing the flag.txt file.
cd Documents\ and\ Settings
cd Administrator
cat flag.txt
That’s it for the hack the box: grandpa walkthrough!