Steel Mountain: Tryhackme
Steel Mountain is windows themed machine from Tryhackme.
You can find the challenge here.
Enumeration:
Starting with nmap scan:
Now accessing port 80:
View page source and get the name of Employee of the month
Now moving on to the next port 8080:
Found Rejetto HTTP File Server .On googling I found CVE-2014-6287 and rapid7 metasploit module
Exploitation:
start the msfconsole
sudo msfconsole
set your rhosts,lhost and rport being 8080 here and exploit.
open the shell and grab the user flag.
Privilege Escalation:
back to meterpreter, using PowerUp.ps1 for checking misconfiguration in windows.
Upload PowerUp.ps1,load powershell into meterpreter and run.
Here are the commands
Here is the result
The unquoted service paths means if any service is using a path which is not quoted and having space then after space it treat as command argument and can be used to gain system privileges.You can find more here.
Now the canrestart option being true means we can restart the service.
Theory:
As I told about the path in I0bit folder before going to folder Advanced SystemCare it will check for Advanced.exe (bz Advanced SystemCare contains space in between) and we can add Advanced.exe there with reverse shell code.
So Lets generate our payload with msfvenom.
Now upload it to directory C:\Program Files (x86)\IObit
Now set up necat listener
Now move to meterpreter and stop the service and start it again.And wait until our reverse shell code is executed
Here is our reverse shell.You can grab root flag
Manual Exploitation:
Download the exploit.Edit the python file set your lhost and lport accordingly.For this exploit you need to host a server on port 80 and have netcat binary nc.exe in it.We will run it twice.Set up your listener on chosen port.
Lets load winpeas
Now lets check for privilege escalation.
Found unquoted service path.I am using the same Advanced.exe and upload it in
C:\Program Files (x86)\IObit
Now set up the listener for created payload here Advanced.exe
Lets first stop the service and then start it again.
We have reverse shell as nt authority system
Thank you.
