Steel Mountain
https://tryhackme.com/room/steelmountain
What up everybody! Today's rooms is a vulnerable Windows MrRobot-themed machine. We'll solve this machine without Metasploit. As always we'll start with the reconnaissance.
Reconnaissance
We simply run a Nmap scan to get information about open ports and active services:
> nmap -sS -T5 -A -p- <TARGET-IP>After a detailed analysis of the scan result, we discover that the Rejetto HTTP File Server service is vulnerable to remote code execution. It's a python script, so we downloaded and make it executable by running chmod. We are supposed to open a reverse shell so, before launching the script, we need to change the local address and port.
As THM suggests we need to run the script twice. The first time to upload the nc.exe which is supposed to be on the same folder of the script, and the second time to get the actual shell.
After that we're ready to launch the exploit:
Privilege Escalation
Now we can simply move to the Desktop directory. Here we use PowerShell to get winPEAS through HTTP from our local machine. This tool will look for possible ways to escalate our privileges.
After few seconds of execution we notice that we might escalate privileges through unquoted service path vulnerability. Basically we need to create a malicious service using msfvenom on our machine and call it Advanced.exe; then we need to move it in the C:\Program Files (x86)\IObit> directory.
Now we just need to open a listener on our local machine and restart the service:
On our listener, we successfully get a shell with nt authority system permissions!
As always I would not explain everything in details, if you want to know more on this vulnerability in order to understand my solving process you can check this.
Last updated
Was this helpful?