Steel Mountain : TryHackMe Writeup
Executive Summary
Steel Mountain is a Mr. Robot themed Windows machine that demonstrates the risks related to the usage of outdated softwares. It’s an easy machine that uses metasploit for initial access, and powershell for privilege escalation. Nevertheless, we’re going to root this machine manually without the need of using Metasploit.
Reconnaissance
Nmap
The target has several open ports.
In such scenario, I generally check if the SMB server allows anonymous login. If it doesn’t, I keep on with web server enumeration.
Enumeration
Port 445
Unlikely, the server does not allow anonymous login.
As is evident, let’s enumerate now the web servers. Shall we ?
Port 80
Let’s first take a look at the website in our browser :
Here, there is nothing interesting except the picture of the employee of the month. However, this could help you answer the first question.
With that said, let’s check the technologies run on the web server, then perform a directory/file enumeration using gobuster :
The web server is running the version 8.5 of Microsoft Internet Information Services (IIS). Feel free to check if this version is vulnerable or not. As far as I’m concerned, I did not find any exploit related to this version of IIS.
With that said, let’s proceed with directory/file enumeration :
Once again, seems that there’s no interesting directory apart from the /img directory. Let’s check out if we have access to it using curl :
Too bad, we got 403 forbidden which means that we have no access to the directory in question.
Last but not least, let’s look for subdomains now using ffuf :
Here again, we did not find any subdomains.
That being said, let’s move on to the second web server running on port 8080.
Port 8080 (HFS)
HFS is a web file server used to share folders or even a single file thanks to the virtual file system.
As you can notice, we got the version of the HTTP File Server.
This could also be found using whatweb :
The -v flag is used to enable the verbose mode. This can be useful when you have no clue regarding a particular technology.
Awesome! Let’s now check if the version running on the HFS is vulnerable :
Seems that this version of the server is vulnerable. Here’s a quick explanation of the vulnerability :
HTTP File Server is prone to a vulnerability that lets attackers upload files and place them in arbitrary locations on the server. The issue occurs because the software fails to adequately sanitize user-supplied input.
A successful exploit may allow the attacker to upload malicious files and potentially execute them; this may lead to various attacks such as Remote Code Execution (RCE).
Let’s download the exploit (CVE-2014–6287) on our attacker machine :
For this exploit to work properly, we need to :
1/ Change the ip address and local port with our ip address and a port of our choice.
2/ Run a web server on port 80, then place the nc.exe in the web root :
3/ Execute the exploit by specifying the target ip (HTTP File Server) and the port on which it is running i.e 8080 :
After that, we can stop the python web server, then launch a netcat listener on the local port we specified. In my case, I didn’t change the local port in the file, therefore I launched my netcat listener on port 80 :
Once done, we can execute the script again and normally we must get an initial access :
Fantastic! Now that we got an initial access to the server, we can try to retrieve the user flag which is generally located in the user’s Desktop :
For those interested, here’s how to get the initial access using metasploit.
Initial Access with Metasploit
You could also perform a search based on the CVE-ID (2014–6287) we previously found :
After selecting the exploit, let’s execute the info command in order to make sure that this module can help us exploiting the target machine :
As you can see on the image below, the module has been successfully tested on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.
Let’s check if this exploit works against our vulnerable HFS.
For that, let’s set the different options required for the exploit to work properly. Here are the options, you need to set :
Once done, let’s run the exploit using the run command :
Initial access is good but not enough. We need to get the keys of the kingdom which refer to the root flag. For that, we need to elevate our privileges.
Privilege Escalation
Privilege escalation step can either be done manually or automatically but in our case we’re going to do it automatically (we’re too lazy :)
Here, I used a Windows privilege escalation tool called PowerUp.
Let’s now run PowerUp as follows :
Note : It’s not possible to run an interactive powershell session. Therefore, you need to specify your command in arguments as I did above.
Here, we’re going to take advantage of a vulnerability called “unquoted service path”.
In order to escalate our privileges by leveraging this privilege escalation vector, we need the following conditions to be satisfied :
1/ We must have enough permissions to stop/start the vulnerable service.
2/ We must have the permissions to write at least in one of the directories of the unquoted service path.
3/ Last but not least, we need to make sure that the vulnerable service is executed by a user with higher privileges than us. Otherwise, it will not be worthy at all.
To determine which service to pick, let’s see if we can start or stop them.
Before starting or stoping a service, we can query its status by using the following sc query <SERVICE_NAME> command as follows :
Knowing that the AdvancedSystemCareService9 is running, let’s try to stop it :
Great! We have been able to stop the AdvancedSystemCareService9 service.
Nevertheless, this didn’t work for other services as you can see below :
Now, let’s check if we have the permissions to write at least in one of the directories of the unquoted service path.
I decided to check the permissions related to the “C:\Program Files (x86)\IObit\” folder :
As you can see, our user (bill) has write permissions over the IObit folder, which means that he can write in that folder.
Let’s generate a stageless payload called Advanced.exe :
Once done, let’s download the generated payload in our writable directory (IObit) :
Let’s now launch our netcat listener, then stop and start the “AdvancedSystemCareService9” service :
The machine has been rooted. Let’s get the root flag. Shall we ?
Privilege Escalation With Metasploit
First of all, let’s upload the PowerUp script on the target system using the upload meterpreter command :
Once done, let’s load the powershell module by using the following command :
Let’s now import PowerUp, then execute the Invoke-AllChecks module :
After that, let’s generate a staged payload using msfvenom :
Before starting the service, let’s setup our handler :
Once done, let’s start the vulnerable service :
Findings and Recommendations
To gain system privilege on the system, we exploited two vulnerabilities :
1/ Vulnerable and outdated HTTP File server (HFS 2.3)
Here, after we got the version of the rejetto file server, we searched for exploits affecting this specific version. Then we downloaded the exploit and run it against the target system, which gave us an initial access.
To avoid this vulnerability, the client should make sure to regularly update its applications especially if they are exposed on the Internet.
You can check the latest version of rejetto here.
2/ Unquoted Service Path
After gaining an initial access, we used an automatic privilege escalation tool called PowerUp to enumerate common Windows privilege escalation vectors that rely on misconfigurations. It allowed us to find out an unquoted service path (C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe) that we leveraged to escalate our privileges to NT Authority\System.
Here is how to fix this privilege escalation vector.
Wrapping Up
That’s it guys. Congrats on having made it so far 👏.
I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.
References
https://www.exploit-db.com/exploits/39161
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.4
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#unquoted-service-paths
https://isgovern.com/blog/how-to-fix-the-windows-unquoted-service-path-vulnerability/
Contact
GitHub : https://github.com/0liverFlow
