Steel Mountain (THM)
TryHackMe – Steel Mountain Write-Up
topics: web application security, powershell, Windows privilege escalation, public exploits, file transferring
Enumeration
Local Privilege Escalation
Exploitation (Root PrivEsc)
new tools: winPEAS, powershell
Enumeration
initial nmap scan .././autonmap.sh $ip Basic
We have several ports open including MSRPC, SMB, RDP, and multiple HTTP ports. Enumerating the low hanging fruit first, the two websites.
The website on port 80 is a default homepage with nothing but an image while port 8080 displays a more interesting page
Clicking the Server Information link reveals this web server is running the Rejetto HTTP File Server 2.3 and because its installed version is 2.3, it is vulnerable to CVE-2014-6287
Local Privilege Escalation
The exploit 39161 explains that we'll need to run an http server with a netcat windows executable to be download. We can essentially upload any file we choose.
Start the server and listener before running the command python exp.py $ip 8080
twice. The first time the command is run we upload the netcat binary while the second time sends a GET request to execute or fetch the binary.
System Privilege Escalation
I did not see anything stand out initially so I decided to run winPEAS. winPEAS returns several potential attack vectors for system privilege but one in particular stands out, an unquoted service path vulnerability.
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (if service is running with those privileges)
We can cd to the directory C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe and view the proper executable name for our reverse shell.
Create the payload with msfvenom and listen for the shell with nc -nlvp 443
Following this, the service must be stopped, renamed and downloaded from the attacker. and renamed/backed up . Then the payload must be downloaded
and the service started , which returns a shell with nt authority\system privileges
Last updated