Steel Mountain - HackTheBox

Description

Steel Mountain is a secure facility serving major corporations like E-Corp. We've infiltrated their network and planted our tool. Final step: Burn the tapes to destroy the data.

The challenge provides two ports:

• Port 48380: Web dashboard (Werkzeug/Python) - Building Management System interface
• Port 30551: BACnet interface - Industrial control protocol

Reference: Mr. Robot TV series - Steel Mountain episode, E-Corp, "burn the tapes"

Analysis

Initial Reconnaissance

Port 48380 served a "Steel Mountain Dashboard" - a building management system (BMS) web interface showing:

• Temperature sensors for 3 levels
• Air Handling Units (AHU1, AHU2)
• Doors: Lobby Door, Tape Storage Room Door (L2-TSR-DR), Servers Room Door
• Elevators and Air Conditioning units

Port 30551 was a BACnet (Building Automation and Control Networks) interface with a menu:

1. objects
2. bacnet.read
3. bacnet.write

Understanding the BACnet Objects

The /data endpoint revealed BACnet objects controlling Level 2 (where tape storage is located):

Object ID	Type	Name	Description
Temp-L2-20	analogInput	Temperature	Current temperature on Level 2
Therm-L2-21	analogOutput	Thermostat	Setpoint for heating/cooling
ACS-L2-22	binaryOutput	AC Status	0: OFF, 1: ON
OHAP-L2-23	analogOutput	Overheat Alarm Point	Default 25C
OHA-L2-24	binaryInput	Overheat Alarm	Alarm status
L2-TSR-DR	multiStateOutput	Tape Storage Room Door	0: OPEN, 1: CLOSED-UNLOCKED, 2: CLOSED-LOCKED

Attack Goal

To "burn the tapes", we need to:

1. Raise the temperature in the Tape Storage Room to destructive levels
2. Prevent safety systems from triggering
3. Keep the door locked to trap heat

Solution

Failed Attempts

...