Steel Mountain – Try Hack Me

Oct 17, 2019
Iulian

This is considered to be an easy machine, but I’ve decided to make the write up for the ones that are really new to the field and still might find some things difficult.

Enumeration

Let’s start by deploying the machine and do an initial port scan.

Initial NMap scan

As i checked what was on port 80 i run in the background a full range port scan. Accessing the web page, there was some text and an image. Running dirbuster won’t pop up anything interesting, so i moved on.

The NMap scan finishes, and there are a few more things that came up.

Full range port scan

We have port 8080 open. Therefore, we proceed checking it out, and we see that there is running Http File Server.

Http File Server

Gaining Initial Access

I use searchsploit to look for a public available exploit. The thing i notice is the fact that the HFS is vulnerable to a Remote Code Execution, and we have a metasploit module available.

Searchsploit results

Fire up metasploit, search the exploit and configure it as suited.

Configuring metasploit and prompting the meterpreter shell

We have initial access to the target machine. Therefore, i proceed with the enumeration part.

Enumeration

Privilege Escalation

I tried windows exploit suggester, metasploit local exploit suggester, but didn’t found anything useful.

My next move was to use wmic to check for Unquoted Service Path. The syntax i used was: wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """.

WMIC output

I also manual checked using Service Control for the Unquoted Service Path.

Manual checking using SC

With this information, i used msfvenom to generate a malicious binary.

I stop the service using Service Control.

Stopping the service

Now, i uploaded the binary to C:\Program Files (x86)\IObit. Before starting the service, create a netcat listener, then drop into a shell and start the service with Service Control (sc start AdvancedSystemCareService9).

Netcat listener

I received the reverse shell. Now, if we want to upgrade our shell, we can use metasploit Web Delivery module as follows.

Web delivery configuration

I already had it pre configured. I just changed a few things. Also, don’t forget to use the PSH (set target 2) delivery. Now, just copy-paste it in your generic shell you spawned earlier and hit enter. You’ll receive the connection in metasploit.

You upgraded the shell. Now you can run hashdump, pivot if needed and so on.

Hashdump

Hope you guys enjoyed and learned a few things.

Also, if you need help, hit me up on Try Hack Me Discord.