Steel Mountain | Pentesting Quick Reference OSCP and Beyond

Last updated 1 year ago

Scanning

There are two webservers running, one on port 80 and the other oner on port 8080.

The other server is being run on port 8080 with HFS 2.3. it has a number of exploits

lets first exploit it with metasploit

And we get a meterpreter shell. Move to the desktop folder and get the user flag

Scan the machine with nmap. What is the other port running a web server on?

8080

Take a look at the other web server. What file server is running?

rejetto http file server

What is the CVE number to exploit this file server?

2014-6287

Use Metasploit to get an initial shell. What is the user flag?

b04763b6fcf51fcd7c13abc7db4fd365

Priv escalation

lets first check msf exploit suggester

it only found exploit/windows/local/bypassuac_eventvwr which did not work

Enumeration with powerup.ps1

upload the script with metasploit

Now run the script with Powershell

The Iobit AdvancedSystemCareService9 service is vulnerable to path hijack. No quotes are being used to enclose the path.

unquoted service path vulnerability

Now create a reverse shell payload

using reverse meterpreter payload dies if used and we have to chain it with post/windows/manage/migrate

Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.

and we got the reverse shell

Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

AdvancedSystemCareService9

What is the root flag?

9af5f314f57607c00fd09803a587db80

Manual Exploitation

Change the ip address within the file to your local ip

Now download the netcat binay and host it on the webserver.

now get the winpeas on your system

use the 64 bit version

So, we can copy the malicious payload as above and do the privilege escalation.

Last updated 1 year ago

nmap -sS -A 10.10.227.204 -oN recon.nmap Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-28 14:57 BST Nmap scan report for ip-10-10-227-204.eu-west-1.compute.internal (10.10.227.204) Host is up (0.00050s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ssl Microsoft SChannel TLS | fingerprint-strings: | TLSSessionReq: | i]cW | \x9bK | !r|b | steelmountain0 | 230327134335Z | 230926134335Z0 | steelmountain0 | Y7;7 | \x18 | S~M>t% | T}}~ | lJW2 | $0"0 | iBD\x18 | $ejT |_ Ur^Cg | ssl-cert: Subject: commonName=steelmountain | Not valid before: 2023-03-27T13:43:35 |_Not valid after: 2023-09-26T13:43:35 |_ssl-date: 2023-03-28T13:59:36+00:00; 0s from scanner time. 8080/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3389-TCP:V=7.60%I=7%D=3/28%Time=6422F28B%P=x86_64-pc-linux-gnu%r(TL SF:SSessionReq,346,"\x16\x03\x03\x03A\x02\0\0M\x03\x03d\"\xf2\x86\r\x9f\x9 SF:3\xefi\]cW\xad\\\x9bK\xae\x01NE\xb6\|vg\xf9\x10\x1a\xf3\x0b\x11\x88s\x2 SF:0\xf2=\0\0\xb1\x91,\x9d\x04\xe6o\xe6\x97\x05\x02c\xfd$A\xad\xb8\xd8L6\ SF:xad\xeb\xbe-\xb7\x1c\x13\xfc\0/\0\0\x05\xff\x01\0\x01\0\x0b\0\x02\xe8\0 SF:\x02\xe5\0\x02\xe20\x82\x02\xde0\x82\x01\xc6\xa0\x03\x02\x01\x02\x02\x1 SF:0=\|\xaf\xce\x9d\xceY\xb7K\x13\xb9!r\|b\xf70\r\x06\t\*\x86H\x86\xf7\r\x SF:01\x01\x05\x05\x000\x181\x160\x14\x06\x03U\x04\x03\x13\rsteelmountain0\ SF:x1e\x17\r230327134335Z\x17\r230926134335Z0\x181\x160\x14\x06\x03U\x04\x SF:03\x13\rsteelmountain0\x82\x01\"0\r\x06\t\*\x86H\x86\xf7\r\x01\x01\x01\ SF:x05\0\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\0\xb5V\x7f\x0f\xfd SF:\xb6\0\x05\x98\x19\xe0-\xffH\xd3\xd9<\xae2\xf1\]\x0e\xdd\x1a\xde`y\x9e\ SF:x1a\xf8\x92\x88\*\xbfHu\x13B}\x8e\x1b\x9d\x9a\xd8\xda\xa5\x1a$\x1fE\xc SF:9\xa6\xca\xdb\xcfua2\xef\x14rg\x9d\xaf\[6\xc4\x9dz\x0e<\xa4<\xe2\xc2\xa SF:0\xf2\xf2\x16t\xb8>\x0e\x8c/\xc2\xc2\x04Y\x85M\x0b\xae3\xef\xd2\xcb\x95 SF:\)\x12Y7;7\xe6\xf2\xae\\\x18\x93\x8d\x12p\x10\xb7\xd8\xdb\xd6\xb5DX\xa1 SF:\x1c\x05\xe3KV\x1f\xbf\x81\xdc\x9b\xf1\xd4:\x91\x81pd#\xa5\xde\xd7{\xe7 SF:<\x8d:c\xc4\xce\xc01=\x8e\x13U%W\x996\x01\x8e\xc7\xc8\x97b\xd5S~M>t%\x1 SF:6\xd5l\"\x01\xe4\x9f6\xb1\xbdBUm\x80\xafS\xf8\xc32\xf0\xaak\x13\x8cv_`\ SF:x1a\xb6\x20Ex\xab2\xb2NsR\xe2\xfb\x93EL\x14}\xc6\xa5\xd0IR\xad\xd9\x90& SF:`\xdf\xa1\x04\xa1\xd55;\[\xddT}}~\x0bD\xfblJW2\x9a\xcdV\xed\x92W\xcb\x0 SF:2\x03\x01\0\x01\xa3\$0\"0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08\+\x06\x0 SF:1\x05\x05\x07\x03\x010\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x0400\r\x06 SF:\t\*\x86H\x86\xf7\r\x01\x01\x05\x05\0\x03\x82\x01\x01\0I\xfa\xe4fv\x1d\ SF:xf1\x93\xca\xc4\xadiBD\\\x18\xe8\xae4f\xd7\x15\xd3QV\xfc\x95\x89T\x1b\x SF:bc\$ejT\xf3\x90\xe2\xa5\xd4\"B\xb9\x16V\xbc\x80\xa9\xc8\xb9I\x9dYf\xcb\ SF:xc2rZ\xf8\xd3DcA\xec\xf6\xc7;\x9dka\xc1\x07-\xab\x7f,\xbd\xdb\x1e\xac\x SF:13w~\xde\x0e\]\xe6\xf6t\x88\xcf\xa9O\xb5Q\xde\xcas\xc2\x14T\xbbF\x0b\xa SF:bD\xfa\x17\xbb\xcb\x9d/\0\xb4\x0b\x12\xdf6\xe9\x08\xa0\x8d\x89\xe8\x96\ SF:x11\xaaZ\xbd\xf5I4\x9d\t\xd3e\x8c\xaf\x85UF\xae\xdeM\xd9\x07<\xec\xb1q\ SF:x84t\xb2Q\x20\xe2`\x1d\xfb\xbd\"\x10\xc5h;\xbb\xb1\xfc\xfcUr\^Cg\xfd\xc SF:9\xd4\x04\x97\*\xb2pb9\xf1\x8f\xc0\xe1\x8c\x0c\x0eg'P\x19\x136\xc0\x032 SF:T\x07\xed}\xcdU\x9f\x0c\x9e\xb3\xbc7\xce\x8f\xd9\x14D\xdbd\x97Ma\x13\xf SF:d\x1e\x9e\xd9i\xd5\xbe\xa8\xeb\x9f\x86\x11\x8f_\xff\xb5\xbd\xba\xdc\xe8 SF:J\xfb4\.\xa9\xd0\x05Q\x1d\x94%\xed\xb2\x0e\0\0\0"); MAC Address: 02:63:4A:A4:5E:63 (Unknown) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=3/28%OT=80%CT=1%CU=41505%PV=Y%DS=1%DC=D%G=Y%M=02634A%T OS:M=6422F2CE%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%TS=7 OS:)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=RD%II=I%SS=S%TS=7)OPS(O1=M2301NW8ST11% OS:O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M2301NW8ST11%O5=M2301NW8ST11%O6=M230 OS:1ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T OS:=80%W=2000%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=) OS:T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A= OS:O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF= OS:Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=% OS:RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%I OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 1 hop Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:63:4a:a4:5e:63 (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2023-03-28 14:59:36 |_ start_date: 2023-03-28 14:43:25 TRACEROUTE HOP RTT ADDRESS 1 0.50 ms ip-10-10-227-204.eu-west-1.compute.internal (10.10.227.204) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 129.48 seconds