| Lab/Room | TryHackMe - advanced hacking |
|---|---|
| Type | Challenge |
| Statut | Done |
| Date | 12/03/2026 |
Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.
In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.
The first step was to access the Steel Mountain website using the provided target IP address (http://targetIP). The page displayed a section highlighting the Employee of the Month, which included a photograph. By inspecting the page source code in the browser, the image file name could be observed. The file name revealed the identity of the employee: Bill Harper. This information is useful because employee names often correspond to usernames or home directories on the target system.
Next, a network scan was performed with Nmap to enumerate open ports and running services on the target machine. The scan revealed several open ports, including an HTTP service running on port 8080, which is commonly used for alternative web servers or administrative interfaces.
Navigating to http://targetIP:8080 exposed a web interface running Rejetto HTTP File Server (HFS) version 2.3. This version is known to be vulnerable to remote code execution. Further research on public exploit repositories led to the discovery of a working exploit associated with CVE‑2014‑6287, which targets this exact service.
The exploitation process was then performed using Metasploit:
RHOSTS → target machine IPRPORT → 8080 (instead of the default port 80)After executing the module, a session was successfully established on the target machine, providing remote access.
Once inside the system, the objective was to retrieve the user flag. Based on common TryHackMe conventions, user flags are typically located within the user's Desktop directory. Since the earlier reconnaissance revealed the username bill, navigation was performed to:
C:\\Users\\bill\\Desktop
Inside this directory, the user.txt file was located and contained the flag:
b04763b6fcf51fcd7c13abc7db4fd365