# Grandpa

## Grandpa - 10.10.10.14

### Target Enumeration:

OS: Windows

IP: 10.10.10.14

User: bdff5ec67c3cff017f2bedc146a5d869

Root: 9359e905a2c35f861f6a57cecf28bb7b

### Ports / Services / Software Versions Running

80/tcp open  http Microsoft IIS httpd 6.0

### Vulnerability Exploited:

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: \<http\://" in a PROPFIND request, as exploited in the wild in July or August 2016. Original exploit by Zhiniang Peng and Chen Wu.

### Exploiting the host:

Searchsploit results for IIS 6.0

![](https://lh4.googleusercontent.com/IWQvp_Nx1TFrLyWNxazzE69X4VP2iedBeRC5wOo__5sAgYEjUS6GKPYCu17riQNfkZKbnAWNJjgR0OsLkV-XGXpvw1R9kxx4_SB2YwWvcFk0HlbtLq5bkMYqFzwTloWaWtENwC3Z)

Use windows/iis/iis\_webdav\_scstoragepathfromurl

![](https://lh5.googleusercontent.com/T6DQwBXZs2bn0IF8xo_0KboBvympBn3Ocr1SQdhuUAfoHwm7l1Z2tqsmv8-nSMEH4yxJ6v7BQta7W4UWdYVZxFWLjgeIaxzPRNToCrUlb_O5kZlEWxRAJnR7Vb5K6bzLxOTMNn5d)

Execute the exploit.

![](https://lh5.googleusercontent.com/3I4TczTaSvr-HNRNZ68OzBMQe-zYMCP9QAwSIwdOUNJG8T_4LinVpbBRpDnhdyG4rUEY1Ii9H3L76o7IdEwJZcbbi43N2ZZUqDLjpB87tqTfscrBuHdFir40VQvHv1hvcJXkhUSw)

Collect your flags.

![](https://lh4.googleusercontent.com/W1ccQqDUptM_Rfng-_3Vu1qSZF9jM8r2Y-yE7AWcMCTQGjEq9wnfDKjzz0mbl59tFvCEZNL0U5hxucKcIKbzG4f6kHnVksiK9CfYFReEoFZTpg-AAsDTy_iY2OT23YUQnMcO71w5)