THM: Steel Mountain Walkthrough

How this helps your pentesting career:

  • exploit Rejetto HFS 2.3 to get remote shell w/ both Metasploit and manual exploitation
  • practice Windows privilege escalation technique: Unquoted service paths

#1 Deploy the machine.

Who is the employee of the month?

task1 image source shows employee name
The page source shows the employee name in the filename.

Answer: Bill Harper

Now you have deployed the machine, lets get an initial shell!

#1 Scan the machine with nmap. What is the other port running a web server on?

nmap output for Steel Mountain
Windows Server 2008, running HTTPFileServer httpd 2.3 on port 8080

Answer: 8080

 

#2 Take a look at the other web server. What file server is running?

google search of httpfileserver httpd 2.3
A Google search for the service shows: Rejetto HTTP File Server (HFS) 2.3

Answer: Rejetto HTTP File Server

 

#3 What is the CVE number to exploit this file server?

Exploit-db entry for exploit relevant to Rejetto HTTP File Server 2.3
This is the exploit-db entry for the remote command execution exploit of Rejetto HTTP File Server 2.3.x

Answer: CVE 2014-6287

 

#4 Use Metasploit to get an initial shell. What is the user flag?

msfconsole rejetto http file server exploit
This exploit hosts a local webserver so that we can upload a reverse shell to Rejetto HFS and execute it on the target machine, giving us a remote meterpreter session.

 

Once we get a shell, we can look around for the user.txt flag.  It is located at C:\Users\bill\Desktop\user.txt

obfuscated user.txt for steel mountain
User flag found at C:\Users\bill\Desktop\user.txt

#1 To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.”

You can download the script here. Now you can use the upload command in Metasploit to upload the script.


To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

upload PowerUp.ps1 script to enumerate the Steel Mountain machine
Upload the PowerUp.ps1 powershell script
PowerUp.ps1 results
The results of the PowerUp.ps1 script show an unquoted service path

 

#2 Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name? (https://www.commonexploits.com/unquoted-service-paths/)

Answer: AdvancedSystemCareService9

 

#3 The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

msfvenom creating meterpreter reverse shell payload
Since service path is C:\Program FIles (x86)\IOBit\Advanced SystemCare\…

and it is unquoted, Windows will try to run the related service name exectable:

C:\Program.exe, C:\Program Files (x86)\IOBit\Advanced.exe

Since we don’t have writable permissions for C:\Program.exe, we can create the payload named ‘Advanced.exe’ and place it in …\IOBit\

uploading unquoted service path payload to steel mountain


Now that the payload is in place, we can start a meterpreter handler to listen and receive the reverse shell, and then restart the service to activate the payload.

setting up msfconsole handler for elevated shell

restarting advancedsystemcareservice9

Once service restarts, the ‘Advanced.exe’ payload gets executed at C:\Program Files (x86)\IOBit\Advanced.exe instead of the actual executable at C:\Program Files (x86)\IOBit\Advanced SystemCare\AdvancedSystemCare.exe

We get reverse meterpreter shell in msfconsole

 

#4 What is the root flag?

The root flag is located at C:\Users\Administrator\Desktop\root.txt

obfuscated root flag for steel mountain

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to.

#1 To begin we shall be using the same CVE. However, this time let’s use this exploit

This is the same exploit we found by searching Google for “HTTP File Server httpd 2.3”.

Just like the Metasploit exploit, we need to create our own http server on Kali so we can transfer some files.  The first time we execute the script, it will upload nc.exe to the target.  Then when we run it for the second time, it will execute nc.exe and give us shell. We will need to have a nc listener ready.

nc.exe is found in /usr/share/windows-resources/binaries/nc.exe

 

#2 Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.


Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.


What powershell -c command could we run to manually find out the service name?

*Format is “powershell -c “command here”*
(https://docs.microsoft.com/en-us/powershell/scripting/learn/ps101/02-help-system?view=powershell-7 )
Answer: powershell -c Get-Service

 

#3 Now let’s escalate to Administrator with our new found knowledge.


Generate your payload using msfvenom and pull it to the system using powershell.

  • Used powershell to download file from the same python http server we used to transfer nc.exe.
  • Used the same payload as from before when we used metasploit to gain access.

  • We can restart the service with commands:
    • sc stop AdvancedSystemCareService9
    • sc start AdvancedSystemCareService9

 

We have a shell without using metasploit (for the exploit), we are using a meterpreter shell payload though. 

 

Leave a Reply