OSCP PREPROTİONS – HTB Grandpa

Grandpa machine is a vulnerable machine with Windows operating system among the reitred machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

As a result of port scanning, we found that port 80/tcp http Microsoft IIS httpd 6.0 was open.
When we investigated we found that this is using Microsoft IIS httpd 6.0 and is vulnerable. it is vulnerable to buffer overflow and gives us shell authorization

We conducted a vulnerability research on this.

We will use the code from https://github.com/crypticdante/CVE-2017-7269.

When we did research on this shell that gave us shell authorization, we realized that it was a user with low authorization, so we provided local enumeraiton.

Microsoft(R) Windows(R) Server 2003, Standard Edition is in use and SeImpersonatePrivilege seems to be enabled, which could be the Rotten Potato exploit.
Since there is no powershell here, let’s try the Churrasco tool here. I installed it on the machine using the SMB share and then ran it (if we had powershell we would use the JuicyPotato tool)

Then let’s run cmd.exe using the churrasco.exe tool
As we can see, we have a session to the user nt authority\system
Now we get user and root flags