diff --git a/HackTheBox/Granny.md b/HackTheBox/Granny.md
new file mode 100644
index 0000000..de50ed1
--- /dev/null
+++ b/HackTheBox/Granny.md
@@ -0,0 +1,94 @@
+# HackTheBox-Granny
+
+## NMAP
+
+```bash
+
+PORT STATE SERVICE REASON VERSION
+80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 6.0
+| http-methods:
+| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
+|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
+| http-ntlm-info:
+| Target_Name: GRANNY
+| NetBIOS_Domain_Name: GRANNY
+| NetBIOS_Computer_Name: GRANNY
+| DNS_Domain_Name: granny
+| DNS_Computer_Name: granny
+|_ Product_Version: 5.2.3790
+|_http-server-header: Microsoft-IIS/6.0
+| http-webdav-scan:
+| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
+| Server Type: Microsoft-IIS/6.0
+| WebDAV type: Unknown
+|_ Server Date: Wed, 26 May 2021 15:53:30 GMT
+
+```
+
+## PORT 80 (HTTP)
+
+
+
+As seen from the nmap scan , this web server is using IIS 6.0 version which might havev some vulnerabilites since it's old
+
+
+## Using Metasploit
+
+On googling around exploits for IIS 6.0 I found a metasploit module
+
+
+
+So use the metasploit module and configure the options
+
+
+
+
+
+Right now we are not a privileged user so we need to find a way to escalate our privileges so let's run `whoami /all`
+
+
+
+We can see Seimpersonate privleges is on , what Seimperonsate is that a local admin can impersonate himself to a logged user but here a service account has these privileges so we can abuse these to create a token which will enable us switch user to admin
+
+
+
+Since this is a windows server 2003 operating system we are going to search for abusing the privileges for this particular system
+
+
+
+
+We can see the file `churrasco` which we can use to abuse impersonate privileges
+
+
+
+Now to upload this on the target machine I had some problems while doing it as powershell was not available so we cannot use it's functionality to download files also `curl` wasn't available too , `certutil` was also giving problems
+
+
+
+I then just used functionality of meterpreter to upload files and it worked like a charm
+
+
+
+But I forogt to allow downloading malicious files as firefox gave a warningthat's why showing it's empty so let's download it again
+
+
+https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
+
+To run commands through this exe `churrasco.exe -d` after that the command we want to run as SYSTEM
+
+
+
+
+
+I get a connection back didn't get a shell
+
+
+
+And I soon reliazed my mistake that I didn't provide `-e` argument to invoke `cmd.exe` on getting a connection,so let's run it again
+
+
+
+
+
+And now we got a shell as SYSTEM