Skip to main content

THM | Steel Mountain

· 3 min read

Basic Computer Exploitation | Steel Mountain | Summary:

This series of walkthroughs aims to help out complete beginners with finishing the Complete Beginner path on the TryHackMe website. It is based on the learning content provided in the Steel Mountain room.

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

Task | 1 | Introduction

Question 1: Deploy the machine. Who is the employee of the month?

Bill Harper

Task | 2 | Initial Access

Question 1: Scan the machine with nmap. What is the other port running a web server on?

8080

Question 2: Take a look at the other web server. What file server is running?

Rejetto HTTP File Server

Question 3: What is the CVE number to exploit this file server?

2014-6287

Question 4: Use Metasploit to get an initial shell. What is the user flag?

<flag>

Task | 3 | Privilege Escalation

Question 1: To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

No answer needed

Question 2: Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

AdvancedSystemCareService9

Question 3: Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

  • Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.

No answer needed

Question 4: What is the root flag?

<flag>

Task | 4 | Access and Escalation Without Metasploit

Question 1: To begin we shall be using the same CVE. However, this time let's use this exploit.

  • Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!
  • To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!
  • You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

No answer needed

Question 2: What powershell -c command could we run to manually find out the service name?

  • Format is powershell -c "command here"

powershell -c "Get-Service"

Question 3: Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

  • First we need to stop the service which we can do like so: sc stop AdvancedSystemCareService9
  • Shortly followed by: sc start AdvancedSystemCareService9
  • Once this command runs, you will see you gain a shell as Administrator on our listener!

No answer needed