TryHackMe: Breaking Into Steel Mountain: A Quick Windows Exploitation Run

Oct 28, 2025 • 3 min read • Intermediate

  • TryHackMe

I knocked out TryHackMe’s Steel Mountain challenge this weekend. It’s a straightforward Windows box that hits the classic privilege escalation vectors you’d expect from an older Windows Server system.

The Initial Foothold

My nmap scan revealed a Windows Server 2008 R2 - 2012 machine with the usual suspects. Port 80 was hosting Microsoft IIS 8.5, and port 8080 was running HttpFileServer (HFS) version 2.3.

1
2
3
4
5

PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
8080/tcp  open  http               HttpFileServer httpd 2.3
3389/tcp  open  ssl/ms-wbt-server?
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012

HFS 2.3 has a well-known RCE vulnerability, so that was my entry point. Got initial access as user Bill without much fuss.

Enumeration Findings

Once I had a shell, I uploaded WinPEAS to enumerate the system. No security software running, which made things cleaner. More interesting was discovering that Bill had auto-logon enabled with credentials stored in plaintext.

1
2

Username: bill
Password: PMBAf5KhZAxVhvqb

Auto-logon credentials are common enough in lab environments, but I always check for them since they pop up in real engagements more than you’d think.

The Privilege Escalation

PowerUp.ps1 flagged a vulnerable service, AdvancedSystemCareService9, with an unquoted service path and write permissions.

1
2
3
4
5

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
CanRestart     : True

Service running as LocalSystem, restartable, and I had write permissions. Standard unquoted service path exploitation from there. Replaced the binary, restarted the service, and got SYSTEM.

Quick Observations

This box is a good reminder of how much automated enumeration tools have improved. WinPEAS and PowerUp.ps1 surfaced everything relevant in minutes, which is exactly what you want when you’re trying to move through a system efficiently.

The unquoted service path vulnerability still shows up on older systems that haven’t been properly hardened. It’s a classic Windows priv esc technique that works reliably when the conditions are right.

Auto-logon credentials remain one of those things worth checking consistently. They’re easy to miss if you’re not systematic about enumeration, but they show up often enough to make it worthwhile.

What’s Next

I’m working through more of the TryHackMe Windows boxes to keep my skills sharp. Steel Mountain was a quick warmup, but I want to tackle some of the harder boxes that feature more modern defensive configurations. I’m particularly interested in exploring token manipulation techniques and seeing how different environments respond to various enumeration approaches.

Resources to Get You Started

Windows Privilege Escalation Guide (Absolomb, January 2018)
A comprehensive walkthrough of Windows privilege escalation techniques with practical examples and tool recommendations.

HackTricks Windows Local Privilege Escalation (HackTricks, regularly updated)
An exhaustive reference covering everything from service misconfigurations to kernel exploits, with specific commands and detection methods.

PayloadsAllTheThings Windows Privilege Escalation (GitHub, regularly updated)
A practical cheat sheet format covering enumeration commands, common vulnerabilities, and exploitation techniques for Windows systems.