Steel Mountain

###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # Steel Mountain :::success In this room i hacked into a Mr. Robot themed Windows machine, used metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access. ::: ## Gain initial access :::info In this section i manage to gain a basic access to the machine. ::: ### Reconnaissance First, I decided to run the command `nmap -sV -sC IP` to gather maximum informations about the target such as the port open, the services running... ![](https://i.imgur.com/cmaZEVX.png) After taking a look i find that a **Rejetto HTTP File Server** is running. I search the potential vulnerabilities associated to the server on [exploit-db](https://www.exploit-db.com/search?q=rejetto+http+file+server). ![](https://i.imgur.com/Hdyraps.png) The CVE number to exploit this file server is **2014-6287**. Now i know the CVE, i use Metasploit to get an initial shell. ![](https://i.imgur.com/zwuUk3g.png) ![](https://i.imgur.com/eVwMOMF.png) :::success I managed to have a basic shell ::: ## Privilege escalation :::info Now that I have an initial shell on this Windows machine as Bill, I can further enumerate the machine and escalate my privileges to root! ::: To enumerate this machine, I will use a powershell script called **PowerUp**, that's purpose is to evaluate a Windows machine and determine any abnormalities. *PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.* I download the script from Github [here](https://github.com/PowerShellMafia/PowerSploit). ![](https://i.imgur.com/1veAIzY.png) Now I can use the upload command in Metasploit to upload the script and execute it with using Meterpreter, I will type `load powershel`l into meterpreter. Then I will enter powershell by entering `powershell_shell`: ![](https://i.imgur.com/aomdZy1.png) I ran then the following commands to import the module in powershell : ![](https://i.imgur.com/c9wqDhm.png) Looking this output, **the CanRestart option being true**, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program. :::success Let's do it :smiley: . ::: I started it by using `msfvenom` to generate a reverse shell as an Windows executable : ![](https://i.imgur.com/Js9Mtm3.png) I called it `ASCService.exe` as the one we want to overwrite. Now we have a Windows executable ready to go, we will use **multi/handler**, which is a stub that handles exploits launched outside of the framework : ![](https://i.imgur.com/M4uLojL.png) ![](https://i.imgur.com/08EGe7L.png) In order to get a shell as a root, i have to upload my windows executable created before and replace the legitimate one. Then restart the program to get a shell as root. I first go to the directory where the legitimame program is : ![](https://i.imgur.com/7t6Hmy4.png) Then i stop the service : ![](https://i.imgur.com/NU3Yx1o.png) Finaly i upload the one i created to remplace the legitamate one and restart the service : ![](https://i.imgur.com/cSAP2qN.png) I see that a neww session is created. This one correspond to my shell as root. Let's enter into this session : ![](https://i.imgur.com/H7b38tn.png)