This is considered to be an easy machine, but I’ve decided to make the write up for the ones that are really new to the field and still might find some things difficult.
Let’s start by deploying the machine and do an initial port scan.
As i checked what was on port 80 i run in the background a full range port scan. Accessing the web page, there was some text and an image. Running dirbuster won’t pop up anything interesting, so i moved on.
The NMap scan finishes, and there are a few more things that came up.
We have port 8080 open. Therefore, we proceed checking it out, and we see that there is running
Http File Server.
Gaining Initial Access
I use searchsploit to look for a public available exploit. The thing i notice is the fact that the HFS is vulnerable to a Remote Code Execution, and we have a metasploit module available.
Fire up metasploit, search the exploit and configure it as suited.
We have initial access to the target machine. Therefore, i proceed with the enumeration part.
I tried windows exploit suggester, metasploit local exploit suggester, but didn’t found anything useful.
My next move was to use wmic to check for Unquoted Service Path. The syntax i used was:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """.
I also manual checked using Service Control for the Unquoted Service Path.
With this information, i used msfvenom to generate a malicious binary.
I stop the service using Service Control.
Now, i uploaded the binary to
C:\Program Files (x86)\IObit. Before starting the service, create a netcat listener, then drop into a shell and start the service with Service Control (sc start AdvancedSystemCareService9).
I received the reverse shell. Now, if we want to upgrade our shell, we can use metasploit Web Delivery module as follows.
I already had it pre configured. I just changed a few things. Also, don’t forget to use the PSH (set target 2) delivery. Now, just copy-paste it in your generic shell you spawned earlier and hit enter. You’ll receive the connection in metasploit.
You upgraded the shell. Now you can run hashdump, pivot if needed and so on.
Hope you guys enjoyed and learned a few things.
Also, if you need help, hit me up on Try Hack Me Discord.