HackTheBox - Granny
Starting with nmap-automator
We have only port 80 open
We will create a php reverse shell using msfvenom and upload it using a tool cadaver
we get an error
We also see that it has microsoft's IIS 6.0 running which is pretty outdated
We have a Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
which we can use to get remote code execution
Running the exploit we get a shell of service account
whoami /priv
The SeImpersonatePrivilege
enabled which we can exploit using the churrasco.exe
Running Impacket-SMBServer to get files in the windows machine
We are getting the same error as before in the Grandpa box
So we have to use metasploit as the last resort
Running the metasploit local exploit suggestor
Migrating the process
Here we see that after running the windows/local/ms15_051_client_copy_image
module from metasploit
We finally get the nt\authority