THM Steel Mountain - grunt92/IT-Sec-WriteUps GitHub Wiki

Introduction

Deploy the machine.
Who is the employee of the month?

Inspect the image found on the website and you will see that the image is called "BillHarper.png".

Bill Harper

Initial Access

Scan the machine with nmap. What is the other port running a web server on?

8080

Take a look at the other web server. What file server is running?

Copy the description of the file server ("HttpFileServer httpd 2.3") and search for it using a search engine. You should find the name for this server.

Rejetto Http File Server

What is the CVE number to exploit this file server?

Use exploit-db to search for "rejetto" and look for a vulnerability using metasploit. 2014-6287

Use Metasploit to get an initial shell. What is the user flag?

Start metasploit and search for rejetto. Select the exploit. Set the RHOST to the IP of the target-machine, the RPORT to 8080 and start the exploit. The exploit will take a while to run before giving you a meterpreter-shell. Navigate to "C:\Users\bill\Desktop" and run cat user.txt to get the flag.

b04763b6fcf51fcd7c13abc7db4fd365

Privilege Escalation

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

No answer needed

Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

AdvancedSystemCareService9

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

Exit your PowerShell-session. In the meterpreter-session navigate to "C:\Program Files (x86)\IObit" and run upload /path/to/Advanced.exe to upload the executable. On your local device start another metasploit-session (or background the current one) and use "exploit/multi/handler". Set the payload to the same payload used in the msfvenom-usage. Set the LPORT and LHOST and start the listener. In the meterpreter-session enter the powershell. Run net stop AdvancedSystemCareService9 to stop the service and restart it by running net start AdvancedSystemCareService9. Your multi/handler-session should have caught the incoming session and you get a reverse-shell as "NT AUTHORITY\SYSTEM". From here you have to navigate to "c:\Users\Administrator\Desktop\root.txt" to get the flag. If you have used the "windows/shell_reverse_tcp"-payload you might want to use shell_to_meterpreter to get a meterpreter-session. This way you are able to run search -f root.txt to locate the flag. 9af5f314f57607c00fd09803a587db80

Access and Escalation Without Metasploit

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

Unfortunately the access without Metasploit did not work with my setup. In theory you want to copy/download the exploit, nc.exe, PowerUp.ps1 and the Advance.exe in one location. You have to edit the exploit to use your machines IP and a port of your choosing. Start a http.server and a netcat-listener in your directory and run the exploit twice. The exploit will cause the server to download the files placed in your directory and execute the exploits similar to the process in task 3. Once a access is established you can use the same steps as in task 3 to escalate your privilege.

No answer needed

What powershell -c command could we run to manually find out the service name?

powershell -c Get-Service

Once this command runs, you will see you gain a shell as Administrator on our listener!

No answer needed

⚠️ **GitHub.com Fallback** ⚠️