TryHackMe — Steel Mountain Write Up

Steel Mountain is a room on TryHackMe with Easy difficulty.

Summary — On port 8080 there is a web server running. It is serving a vulnerable version of Jetta HTTP File Server. The version of that file server is vulnerable to a remote code execution. By exploiting the RCE you can get a low privilege shell on the box. Privilege Escalation to the SYSTEM user has been done by exploiting an unquoted service path vulnerability.

Enumeration

Starting with an Nmap scan we can see that on port 80 an HTTP server is running.

The landing page will show that Bill Harper is the employee of the month

Running another scan with the following command, we can see that on port 8080 another web server is running.

sudo nmap -p- -sV -sC 10.10.227.199 -oN nmap/all.nmap

Opening the web page on the HTTP server on port 8080 will show us a HTTP file server. The page contains a link to the vendor. From there, we know this is the Rejetto file server.

On ExploitDB there is a exploit for the HttpFileServer 2.3. The file server has an RCE flaw, with CVE-2014-6287 (CVE Number: 2014–6287).

Metasploit has a module for this vulnerability

Initial Access

Before running the exploit we have to configure the parameters of the module. Set the RHOST to the target IP Adress. Also set the RPORT to 8080, because the HTTP File Server is running on that port. Keep in mind to also set the LHOST to your attacker machine’s tun0 IP.

After that run the exploit. If get a session you can abort with CTRL+C

List your sessions and then interact with the created session

Go to Bill’s desktop and you will be able to read the first flag

Privilege Escalation

To enumerate for privilege escalation vectors, upload the PowerUp.ps1 Script from PowerSploit to the target machin

Next load the powershell extension to your meterpreter session and start powershell by typing powershell_shell

Next start enumeration with PowerUp.ps1:

After the script has run we can see that Bill user has permission to restart AdvancedSystemCareService9. An alternative way to get a list of all services is by running: powershell -c “Get-Service”

That service was configured without quotes. If we have write permissions in one of the other folders, then we could use that to elevate our privileges.

Also we have write permissions to C:\Program Files (x86)\IObit

Quit out of Powershell and navigate to IObit directory in your meterpreter shell

Next create a reverse shell with msfvenom

Next upload the reverse shell to that directory

Next background your current metasploit session with the bg command and use multi/handler

Set LHOST and LPORT the values specified in msfvenom and run the job in the background

Next switch to your the low privilege session as Bill and restart the service

Don’t hesitate if you get this error as long as you get a new session afterwards

Interact with the newly created sessions and you should have SYSTEM rights. You can read the root flag now.

Mitigation

First of all the HTTP File Server on port 8080 should be updated. Furthermore the service should be configured with quotes.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ruby on Rails Adventure: The Beginning

Oh dear~ What is this, what is this 🤭

6. Relatives & Inspector

Private linking an Azure Container App Environment

How Programming Has Changed Over the Last Decade?

Prime Numbers using Sieve of Eratosthenes in Python

Learn Python in 10 minutes tutorial

A Beginner’s guide to Elixir OTP System

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

THM — Lockdown Write-Up

[TryHackMe] BoilerCTF Walkthrough

Steel Mountain TryHackMe Write-Up

Bashed Write-Up