How this helps your pentesting career:
- exploit Rejetto HFS 2.3 to get remote shell w/ both Metasploit and manual exploitation
- practice Windows privilege escalation technique: Unquoted service paths
#1 Deploy the machine.
Who is the employee of the month?
Answer: Bill Harper
Now you have deployed the machine, lets get an initial shell!
#1 Scan the machine with nmap. What is the other port running a web server on?
#2 Take a look at the other web server. What file server is running?
Answer: Rejetto HTTP File Server
#3 What is the CVE number to exploit this file server?
Answer: CVE 2014-6287
#4 Use Metasploit to get an initial shell. What is the user flag?
Once we get a shell, we can look around for the user.txt flag. It is located at C:\Users\bill\Desktop\user.txt
#1 To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.”
You can download the script here. Now you can use the upload command in Metasploit to upload the script.
To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:
#2 Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?
#3 The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!
Use msfvenom to generate a reverse shell as an Windows executable.
and it is unquoted, Windows will try to run the related service name exectable:
C:\Program.exe, C:\Program Files (x86)\IOBit\Advanced.exe
Since we don’t have writable permissions for C:\Program.exe, we can create the payload named ‘Advanced.exe’ and place it in …\IOBit\
Now that the payload is in place, we can start a meterpreter handler to listen and receive the reverse shell, and then restart the service to activate the payload.
Once service restarts, the ‘Advanced.exe’ payload gets executed at C:\Program Files (x86)\IOBit\Advanced.exe instead of the actual executable at C:\Program Files (x86)\IOBit\Advanced SystemCare\AdvancedSystemCare.exe
#4 What is the root flag?
The root flag is located at C:\Users\Administrator\Desktop\root.txt
Now let’s complete the room without the use of Metasploit.
For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to.
#1 To begin we shall be using the same CVE. However, this time let’s use this exploit
This is the same exploit we found by searching Google for “HTTP File Server httpd 2.3”.
Just like the Metasploit exploit, we need to create our own http server on Kali so we can transfer some files. The first time we execute the script, it will upload nc.exe to the target. Then when we run it for the second time, it will execute nc.exe and give us shell. We will need to have a nc listener ready.
nc.exe is found in /usr/share/windows-resources/binaries/nc.exe
#2 Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.
Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.
What powershell -c command could we run to manually find out the service name?
*Format is “powershell -c “command here”*
powershell -c Get-Service
#3 Now let’s escalate to Administrator with our new found knowledge.
Generate your payload using msfvenom and pull it to the system using powershell.
- Used powershell to download file from the same python http server we used to transfer nc.exe.
- Used the same payload as from before when we used metasploit to gain access.
- We can restart the service with commands:
- sc stop AdvancedSystemCareService9
- sc start AdvancedSystemCareService9
We have a shell without using metasploit (for the exploit), we are using a meterpreter shell payload though.