TryHackMe — Steel Mountain Write Up
Steel Mountain is a room on TryHackMe with Easy difficulty.
Summary — On port 8080 there is a web server running. It is serving a vulnerable version of Jetta HTTP File Server. The version of that file server is vulnerable to a remote code execution. By exploiting the RCE you can get a low privilege shell on the box. Privilege Escalation to the SYSTEM user has been done by exploiting an unquoted service path vulnerability.
Enumeration
Starting with an Nmap scan we can see that on port 80 an HTTP server is running.
The landing page will show that Bill Harper is the employee of the month
Running another scan with the following command, we can see that on port 8080 another web server is running.
sudo nmap -p- -sV -sC 10.10.227.199 -oN nmap/all.nmap
Opening the web page on the HTTP server on port 8080 will show us a HTTP file server. The page contains a link to the vendor. From there, we know this is the Rejetto file server.
On ExploitDB there is a exploit for the HttpFileServer 2.3. The file server has an RCE flaw, with CVE-2014-6287 (CVE Number: 2014–6287).
Metasploit has a module for this vulnerability
Initial Access
Before running the exploit we have to configure the parameters of the module. Set the RHOST to the target IP Adress. Also set the RPORT to 8080, because the HTTP File Server is running on that port. Keep in mind to also set the LHOST to your attacker machine’s tun0 IP.
After that run the exploit. If get a session you can abort with CTRL+C
List your sessions and then interact with the created session
Go to Bill’s desktop and you will be able to read the first flag
Privilege Escalation
To enumerate for privilege escalation vectors, upload the PowerUp.ps1 Script from PowerSploit to the target machin
Next load the powershell extension to your meterpreter session and start powershell by typing powershell_shell
Next start enumeration with PowerUp.ps1:
After the script has run we can see that Bill user has permission to restart AdvancedSystemCareService9. An alternative way to get a list of all services is by running: powershell -c “Get-Service”
That service was configured without quotes. If we have write permissions in one of the other folders, then we could use that to elevate our privileges.
Also we have write permissions to C:\Program Files (x86)\IObit
Quit out of Powershell and navigate to IObit directory in your meterpreter shell
Next create a reverse shell with msfvenom
Next upload the reverse shell to that directory
Next background your current metasploit session with the bg command and use multi/handler
Set LHOST and LPORT the values specified in msfvenom and run the job in the background
Next switch to your the low privilege session as Bill and restart the service
Don’t hesitate if you get this error as long as you get a new session afterwards
Interact with the newly created sessions and you should have SYSTEM rights. You can read the root flag now.
Mitigation
First of all the HTTP File Server on port 8080 should be updated. Furthermore the service should be configured with quotes.
