HackTheBox: Granny/Grandpa Walkthrough

Matt Johnson
3 min readJan 29, 2020

--

So I am back from my European adventures, and I have a bit of catching up to do in terms of HTB writeups. This article actually covers two boxes, specifically because they are functionally the same box, aside from Granny being extremely buggy.

Quick note before beginning: I’m slightly altering the format of these so that each walkthrough is simply that — a walkthrough. I have an idea for creating guides for defending against various exploit categories, but nothing specifically in the works yet.

Without further ado, here’s the walkthrough.

Enumeration

Like always, I began with a staged nmap scan, which revealed that only IIS 6.0 port 80 was open:

I also ran a nikto scan for good measure:

Knowing that this server was running IIS 6.0 with WebDav enabled, I decided to do a bit of Google-Fu and found this nifty exploit:

Given that there wasn’t much else to explore, I decided to try and get my initial foothold using this.

Exploitation

Metasploit had a module for the exploit, so here were the configurations I used:

The result, interestingly enough, was that I got a meterpreter shell not as a user account, but as a process. However, in this case it was easy to laterally move into a user account by migrating the process to one of the services running as NETWORK SERVICE:

Session died, which is why the pid is different in this one. Same idea as before though.

Now that I had a non-privileged user account, it was time to do some internal enumeration to see how I could escalate privileges. To do this I ran the local_exploit_suggester module in Metasploit.

For choosing the escalation module to use, I had to consider that I was running on Windows 2003. Since ppr_flatten_rec explicitly supported the version of Windows I was using, I decided to try that. Moment of truth…

And, voila. This is a relatively easy box, with the only trick being the migration of processes. To the best of my knowledge, most forms of privilege escalation won’t work without that necessary step.

Anyways, that’s it. Grandpa and Granny are essentially the same box, so don’t bother with doing both. Until next time!

--

--

Matt Johnson
Matt Johnson

Written by Matt Johnson

Freelance cybersecurity consultant based in Düsseldorf, Germany.