# Granny Walkthrough

Hey folks, we are back again with one of Hack The Box machines “Granny” which it depends on custom exploitation and Windows privileges escalation, but before we get started let’s take a look at its info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*m0M_DGFqlqS46Krt7EdK9g.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*DDUXs0DDVegbBkv9DAGQqw.png" alt=""><figcaption></figcaption></figure>

That’s good, it’s easy, but you will learn new things about Win Priv Escalation, let’s get started…

## **Nmap scan**

In this step we will discover all open ports, service running, OS detect results and more `nmap -A -T4 -oG granny.gnmap <machine-ip>`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*f8HjzzQCNmepoWmqc3FVLw.png" alt=""><figcaption></figcaption></figure>

We have only port 80 open and have service running on it `Microsoft IIS 6.0` and nothing else.

Let’s try to discover machine webpage by searching for `10.10.10.15:80` and you will get nothing useful, so let’s discover the hidden directories by using `dirbuster/dirsearch/ffuf/gobuster` or any tool you want

<figure><img src="https://cdn-images-1.medium.com/max/800/1*6K4GRVKGKzUUTzDQqZff-w.png" alt=""><figcaption></figcaption></figure>

We have more directories, but there’s no useful information in all of them, so let’s take the next step

Let’s try to search for exploitation of the service running at `google` or `searchsploit` tool

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ehvBl5OcEasp3LV3V7EEIw.png" alt=""><figcaption></figcaption></figure>

The good news, we have the same exploitation at `metasploit` and `exploit-db`

Let’s search for it on `metasploit` and then use is

<figure><img src="https://cdn-images-1.medium.com/max/800/1*x04OLTcnw49kPxfcmhl1fQ.png" alt=""><figcaption></figcaption></figure>

After editing all of these options, type run to get `meterpreter` session

<figure><img src="https://cdn-images-1.medium.com/max/800/1*SOJcnaMQKIsbAPQ77eyOHw.png" alt=""><figcaption></figcaption></figure>

Good, we have a session now, let’s type `shell` to open a reverse shell and know who we are and what privileges we have

<figure><img src="https://cdn-images-1.medium.com/max/800/1*MeN1SXQiz10fD0Qt1jNAlA.png" alt=""><figcaption></figcaption></figure>

Unfortunately, we have user access or privileges only, so let’s search for `user.txt` and then try to get root access

Let’s go to the `Documents and Settings`directory and try to get access to user directory

<figure><img src="https://cdn-images-1.medium.com/max/800/1*BGUsG3cuxql1Y-bK7aVNxQ.png" alt=""><figcaption></figcaption></figure>

We can’t open any directory !!

Okay, let's try to get root access

Put this session in the background by typing `background` and you will get `<session-id>` and then search for `suggester` module for discovering all vulnerabilities which our vulnerable machine is affected by

<figure><img src="https://cdn-images-1.medium.com/max/800/1*CwEyz2efCyamfP8EshvWOg.png" alt=""><figcaption></figcaption></figure>

Just put the session number into it as you can see and run

<figure><img src="https://cdn-images-1.medium.com/max/800/1*WUv3Plz_0XBcCeIbcM4U2A.png" alt=""><figcaption></figcaption></figure>

Nice, we have a bunch of vulnerabilities, and you should try every one of them. For me, I’ll try to get the last one first

<figure><img src="https://cdn-images-1.medium.com/max/800/1*qDXtu7vypfT8MrxKb68MQA.png" alt=""><figcaption></figcaption></figure>

Good, It’s for privilege escalation, let's try it

<figure><img src="https://cdn-images-1.medium.com/max/800/1*hh7YVRH3GRqwXNuIdoBErw.png" alt=""><figcaption></figcaption></figure>

Unfortunately, our vulnerable machine refuses the module execution so let’s go into it and see what the service prevents the module from execution

* `session -i <session-id>` → to return to exist open session
* `ps` → to see services running

<figure><img src="https://cdn-images-1.medium.com/max/800/1*lSGW4zxiSwIQFMVxx69bKg.png" alt=""><figcaption></figcaption></figure>

Note `WmiPrvse.exe` this service prevents any external module from execution, let’s migrate it by typing `migrate <process-id>`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*0TszVL_3gjamhxuyNGIyEg.png" alt=""><figcaption></figcaption></figure>

Okay, let’s return to our module and try to run it again

<figure><img src="https://cdn-images-1.medium.com/max/800/1*C7luwaMuwdhT37h19C55KQ.png" alt=""><figcaption></figcaption></figure>

Okay, just change the `lport` to anything other than the `lport` which the first session run on it.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*uA7-_WhBjc1bwAX0N7axCg.png" alt=""><figcaption></figcaption></figure>

As you can see we’re admin now, it’s easy now to grab the user and the root flag


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/hack-the-box-machines/granny-walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.