HackTheBox “Grandpa” Walkthrough

4 min readJun 30, 2023

Sense, an easy-level Windows OS machine on HackTheBox, revolves around leveraging a specific vulnerability within the IIS version 6, commonly known as a WebDAV buffer overflow exploit. By manipulating this weakness, we can gain unauthorized access to the target system. Furthermore, the privilege escalation stage involves leveraging a vulnerability in the Windows WMI service, allowing us to elevate our privileges and gain greater control over the compromised machine.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

Visit the site.

Let’s hop into searchsploit to look for exploits affecting IIS 6.0 WebDAV.

We will conduct a Google search to explore alternative versions of the first exploit in the results of searchsploit as it failed to work with me here.

We will go with the Python script here and have a look at it to gain insights into the prerequisites for this exploit.

Download it to our attack box.

Add the shebang line to the location of our python interpreter.

Launch our listener.

Launching the exploit.

And we have a shell.

We are going to need to escalate our privileges here as we have limited access rights, let’s check which privileges have been assigned to this account.

Let’s also have a look at the system’s information.

Having SEImpersonalPrivilege enabled on the target machine and running Windows 2003 with IIS 6.0, means that we are lucky to utilize Token Kidnapping exploit and have a system shell.

Download the binary file of the exploit here to our attack box.

We will create a “temp” directory within the C partition of the target machine.

As “certutil.exe” failed to download the exploit via an HTTP server, we will deploy an SMB server from our attack box’s working directory to transfer “Netcat” and “Churrasco.exe”.