Since these boxes are so similar, I combined them and tried to show how to do Network Pivots by placing a iptables rule on my box that would prevent me from talking to Grandpa. Unfortunately, that pivot didn’t go so swell in the first video so there is a second one showing how to do “Reverse Callbacks” through a compromised host.
Could get user on both Granny and Grandpa via CVE-2017-7269. However, there is a easier way to do Granny. You could drop HTML and TXT files via HTTP PUT Statement. Then rename that file to ASPX via HTTP MOVE, allowing code execution.
1:50 - Nmap Results (Discovery of WebDav)
4:35 - DavTest
6:22 - HTTP PUT Upload Files
7:00 - MSFVenom Generate aspx payload
13:00 - User Shell Returned
16:23 - Get Admin Shell (ms14-070)
17:14 - Beginning of Pivot Fail. Socks Proxy
29:35 - Shell on Grandpa (CVE-2017-7269)
32:45 - Using portfwd to access ports not exposed to routable interfaces
34:45 - Cracking LM Hash Explanation
38:30 - Cracking LM Hashes via Hashcat
41:30 - Grandpa acts cranky. Revert.
42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (45:20 gets admin)
45:50 - Using Hashcat to crack NTLM using LM Hashes
48:50 - Finally log into SMB using the portfwd from 32:45
49:07 - Random pivot attempt failure.