<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622008331356/dViUtj4sX.png" alt="image.png" />
Starting with nmap-automator
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622008430663/OGRDLH6fP.png" alt="image.png" />
We have only port 80 open
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622008476854/bByIOyQsi.png" alt="image.png" />
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622008560151/jdjtuR5Ga.png" alt="image.png" />
We will create a php reverse shell using msfvenom and upload it using a tool cadaver
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622008953118/_qMu0rwpM.png" alt="image.png" />
we get an error
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622008984996/lM5O1tTU5.png" alt="image.png" />
We also see that it has microsoft's IIS 6.0 running which is pretty outdated
We have a <code>Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow</code>
which we can use to get remote code execution
Running the exploit we get a shell of service account
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622009317176/o0trc4NKh.png" alt="image.png" />
<code>whoami /priv</code>
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622009389010/jA6ImIruK.png" alt="image.png" />
The <code>SeImpersonatePrivilege</code> enabled which we can exploit using the churrasco.exe
Running Impacket-SMBServer to get files in the windows machine
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622009505163/dZEeYzDvb.png" alt="image.png" />
We are getting the same error as before in the Grandpa box
So we have to use metasploit as the last resort
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622183633149/RA_lw9crD.png" alt="image.png" />
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622183713887/5-7zZltIS.png" alt="image.png" />
Running the metasploit local exploit suggestor
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622184625956/7INfs6H3q.png" alt="image.png" />
Migrating the process
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1622184171329/elGakgFXS.png" alt="image.png" />
Here we see that after running the <code>windows/local/ms15_051_client_copy_image</code> module from metasploit
We finally get the nt\authority


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622008331356/dViUtj4sX.png)

Starting with nmap-automator

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622008430663/OGRDLH6fP.png)

We have only port 80 open

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622008476854/bByIOyQsi.png)

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622008560151/jdjtuR5Ga.png)

We will create a php reverse shell using msfvenom and upload it using a tool cadaver

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622008953118/_qMu0rwpM.png)

we get an error

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622008984996/lM5O1tTU5.png)

We also see that it has microsoft's IIS 6.0 running which is pretty outdated

We have a `Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow`

which we can use to get remote code execution

Running the exploit we get a shell of service account

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622009317176/o0trc4NKh.png)

`whoami /priv`

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622009389010/jA6ImIruK.png)

The `SeImpersonatePrivilege` enabled which we can exploit using the churrasco.exe

Running Impacket-SMBServer to get files in the windows machine

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622009505163/dZEeYzDvb.png)

We are getting the same error as before in the Grandpa box

So we have to use metasploit as the last resort

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622183633149/RA_lw9crD.png)

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622183713887/5-7zZltIS.png)

Running the metasploit local exploit suggestor

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622184625956/7INfs6H3q.png)

Migrating the process

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1622184171329/elGakgFXS.png)

Here we see that after running the `windows/local/ms15_051_client_copy_image` module from metasploit

We finally get the nt\authority



Sumiran's Blog

Sumiran's Blog

HackTheBox - Granny