TryHackMe : Steel Mountain

Emre Alkaya

7 min readOct 28, 2020

Room: Steel Mountain

Difficulty: Easy

“Today we will be looking at Steel Mountain from TryHackMe. Capture the flags and have fun.”

Task 1 : Introduction

#1 Deploy the machine. Who is the employee of the month?

I started off with an nmap scan:

nmap -T4 -A -p- <target ip>

We can see open port 80/tcp open port.

First I’ll head over to the webpage to check it out:

I do find it employee the mount name “bill halper” is inside <img src>

ans : Bill Halper

Task 2 : Initial Access

#1 Scan the machine with nmap. What is the other port running a web server on?

We can see 8080/tcp port http.

ans : 8080

#2 Take a look at the other web server. What file server is running?

When I saw that port 8080 was open, I immediately visited it.

We can see server information : HttpFileServer 2.3

I immediately checked the link.

ans : Rejetto Http File Server

#3 What is the CVE number to exploit this file server?

I started off script vuln with an nmap scan:

We found a vulnerability in the 8080 port of the machine.

I immediately Googled the httpfileserver 2.3 exploit.

We find it CVE number.

ans : CVE-2014–6287

#4 Use Metasploit to get an initial shell. What is the user flag?

We found the vulnerability, and I’m investigating how it was exploited.

We found metasploit rejetto module.

While doing this, we get help from the search in metasploit.

We have to set rport 8080.

We are inside the machine.

We found the first flag.

ans : b04763b6fcf51fcd7c13abc7db4fd365

Task 3 : Privilege Escalation

#1 To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities — “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.”

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

#2 Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?

ans : AdvancedSystemCareService9

#3 The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

msfvenom is done!

use multi/handler create listening session.

Upload /root/ASCService.exe

sc stop AdvancedSystemCareService9

and then use windows copy command ASCservice inside IObit\Advanced SystemCare\

start AdvancedSystemCareService9

session3 opened!

And then listening port 9001.

Suscess!

We got it root flag.

ans : 9af5f314f57607c00fd09803a587db80

Task 4 : Access and Escalation Without Metasploit

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to

#1 To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!