HTB 'Grandpa' Writeup
2 minute read
Grandpa HackTheBox Writeup
| Host Information | |||
|---|---|---|---|
| Hostname | IP Address | Operating System | Difficulty Level |
| Grandpa | 10.10.10.14 | Windows | Easy |
Writeup Contents:
(you can jump to the section with these links)
- Initial Recon
- Finding a Clue
- Checking out the encode/decode function – dead end
- Reassessing & Futher Enumeration
- Exploitation of the HTTPS service
- Gaining a user shell with SSH
- Privilege Escalation
- Conclusions/Takeaways
Initial Recon
nmap
Again, we start with our nmap scan of the system:
root@kali:/writeups/HTB/grandpa/enumeration# nmap -sC -sV -p- -O -oA grandpa 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-20 00:30 CST
Nmap scan report for 10.10.10.14
Host is up (0.039s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Date: Mon, 20 Jan 2020 06:33:15 GMT
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows 2000 SP4 (85%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.48 seconds
OK, so this is a Windows Box acting as a webserver running IIS. Probably Windows Server 2003 or 2008 variant, but too early to tell at this point.
Let’s go ahead and check out what’s on port 80 by visiting it in the web browser.
I feedback.
Let me know what you think of this article on twitter @initinfosec or leave a comment below!
Let me know what you think of this article on twitter @initinfosec or leave a comment below!
comments powered by Disqus