Granny Walkthrough
Hey folks, we are back again with one of Hack The Box machines βGrannyβ which it depends on custom exploitation and Windows privileges escalation, but before we get started letβs take a look at its info


Thatβs good, itβs easy, but you will learn new things about Win Priv Escalation, letβs get startedβ¦
Nmap scan
In this step we will discover all open ports, service running, OS detect results and more nmap -A -T4 -oG granny.gnmap <machine-ip>

We have only port 80 open and have service running on it Microsoft IIS 6.0
and nothing else.
Letβs try to discover machine webpage by searching for 10.10.10.15:80
and you will get nothing useful, so letβs discover the hidden directories by using dirbuster/dirsearch/ffuf/gobuster
or any tool you want

We have more directories, but thereβs no useful information in all of them, so letβs take the next step
Letβs try to search for exploitation of the service running at google
or searchsploit
tool

The good news, we have the same exploitation at metasploit
and exploit-db
Letβs search for it on metasploit
and then use is

After editing all of these options, type run to get meterpreter
session

Good, we have a session now, letβs type shell
to open a reverse shell and know who we are and what privileges we have

Unfortunately, we have user access or privileges only, so letβs search for user.txt
and then try to get root access
Letβs go to the Documents and Settings
directory and try to get access to user directory

We canβt open any directory !!
Okay, let's try to get root access
Put this session in the background by typing background
and you will get <session-id>
and then search for suggester
module for discovering all vulnerabilities which our vulnerable machine is affected by

Just put the session number into it as you can see and run

Nice, we have a bunch of vulnerabilities, and you should try every one of them. For me, Iβll try to get the last one first

Good, Itβs for privilege escalation, let's try it

Unfortunately, our vulnerable machine refuses the module execution so letβs go into it and see what the service prevents the module from execution
session -i <session-id>
β to return to exist open sessionps
β to see services running

Note WmiPrvse.exe
this service prevents any external module from execution, letβs migrate it by typing migrate <process-id>

Okay, letβs return to our module and try to run it again

Okay, just change the lport
to anything other than the lport
which the first session run on it.

As you can see weβre admin now, itβs easy now to grab the user and the root flag
Last updated