HackTheBox: Grandpa is a similar machine to Granny on HTB. Both the machines can be used for the same attack origin. However,
i’ve done this one different to Granny to practice metasploit more. Process migration was used in
this machine to migrate an exploit to another process.
1.1 - Scanning
I first started by doing a port scan of Grandpa (10.10.10.14).
The target only has port 80 running Microsoft IIS 6.0 which is an old version of IIS and is vulnerable to RCE. This machine did not require much enumeration since it is a known vulnerability.
2.1 - Exploitation
Metasploit is launched and IIS is searched for to find the exploit:
The exploit is executed and a meterpreter shell is opened! Very easy start.
3.1 - Post Exploitation
Local exploit suggester is a metasploit recon module to find local exploits on an active session. It is executed on the meterpreter session opened:
Several exploits returned, after trying several of them the ppr_flatten_rec exploit worked with some changes. When executing the exploit it returns a error:
This error is a problem with the process. Meterpreter injects the code into active processes to stay hidden. However, in this case there was a problem with the process permissions. To fix this the exploit is then migrated to another process:
Once migrated, the exploit is executed and works correctly: