Published on

Steel Mountain -


Steel Mountain


This room will feature a Mr. Robot themed Windows machine, that you have to enumerate and gain initial access with Metasploit. After that use a Powershell script to further enumerate the machine and escalate your privileges to Administrator.

Task 1: Intruduction

Who is the employee of the month?

  • Bill Harper
The website that is running on port 80

We get presented a blank page with the company logo and a picture.

Viewing the page source

After checking the page source (STRG + U), we see that the picture is named "BillHarper.png", this could possibly be the name of the employee.

Google Image Search

Using Googles reverse image search, we can confirm that the name we are looking for is "Bill Harper".

Task 2: Initial Access

Scan the machine with nmap. What is the other port running a web server on?

  • 8080
The NMAP scan

Running an NMAP scan to find open ports (-p-), service versions (-sV) and saving it to a file (| tee), so we can check it later if we need to. We can see that it's a Windows maschine running another web server on port 8080.

nmap -sV -p- | tee nmap_initial.txt

Take a look at the other web server. What file server is running?

  • Rejetto HTTP File Server
Visiting the website on port 8080

When visiting the webiste we just found, we get presented an oldshool file server overlay, stating the server information in the bottom left corner.

What is the CVE number to exploit this file server?

  • 2014-6287
searching exploid-db

Searching exploid-db we find a Remote Command Execution script using Metasploid.

Use Metasploit to get an initial shell. What is the user flag?

loading the exploid

Since we now know what exploit we want to use, fire up Metasploit (msfconsole) and search for it (search 2014-6287) and load it (use 0). After that we need to find out what options we have to set (options).

configuring the exploid

Now set the variables we need to fill in.

set RPORT 8080
execute the exploid

Execute! We got ourselfes a nice and cozy meterpreter shell on the target.

get the first flag

Next we are searching for the user.txt flag. Change into the user directory, to Bill and then to the Desktop. Here we got our first flag, use cat to print it out.

meterpreter> cat user.txt

Task 3: Privilege Escalation

What is the name of the service which shows up as an unquoted service path vulnerability?

  • AdvancedSystemCareService9

Now we are downloading the PowerUp.ps1 script that is given to us here to our maschine using a secound command line window and upload it to the target with meterpreter (upload).


meterpreter> upload /PowerUp.ps1
further enumeration

That's it, we got root access.