ICE — Try Hack Me Room

Task 2 → Recon

Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine. The scan command will be provided as a hint, however, it’s recommended to complete the room ‘RP: Nmap’ prior to this room.

To do an SYN scan you need to run the command
nmap -sS -p- <Target_IP>
-sS →
SYN scan
-p- → scan all ports

Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?

3389

What service did nmap identify as running on port 8000?

Icecast

What does Nmap identify as the hostname of the machine? (All caps for the answer)

DARK-PC

Task 3 → Gain Access

Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it?

execute code overflow

What is the CVE number for this vulnerability? This will be in the format: CVE-0000–0000

CVE-2004–1561

Now we need to search the exploit with in the Metasploit frame work

After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.

exploit/windows/http/icecast_header

Following selecting our module, we now have to check what options we have to set. Run the command `show options`. What is the only required setting which currently is blank?

rhosts

This is what we get when we run the exploit a meterpreter session

Task 4 → Escalate

Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?

meterpreter

What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.

Dark

What build of Windows is the system?

7601

Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?

x64

Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command `run post/multi/recon/local_exploit_suggester`. *This can appear to hang as it tests exploits and might take several minutes to complete*

Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?

exploit/windows/local/bypassuac_eventvwr

To save the current meterpreter session you need to press the CRTL+Z and press Y to save it.
then search exploit/windows/local/bypassuac_eventvwr path and configure it like above picture and Run

Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?

LHOST

We can now verify that we have expanded permissions using the command `getprivs`. What permission listed allows us to take ownership of files?

SeTakeOwnershipPrivilege

Task 5 → Looting

Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let’s list the processes using the command `ps`. Note, we can see processes being run by NT AUTHORITY\SYSTEM as we have escalated permissions (even though our process doesn’t).

In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?

spoolsv.exe

Let’s check what user we are now with the command `getuid`. What user is listed?

NT AUTHORITY\SYSTEM

Now that we’ve made our way to full administrator permissions we’ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command `load kiwi` (Kiwi is the updated version of Mimikatz)

Which command allows up to retrieve all credentials?

creds_all

Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)

Password01

Task 6 → Post -Exploitation

What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong

hashdump

While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?

screenshare

How about if we wanted to record from a microphone attached to the system?

record_mic

To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this?

timestomp

Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.

golden_ticket_create

--

--

--

Associate security Engineer At Hsenid mobile

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Smashing The Shift Left Unicorn

Nightfall’s Cloud Security Newsletter 1/28/20

Mindset explains: the cybersecurity market

{UPDATE} Small Car Police Simulator Hack Free Resources Generator

{UPDATE} Hoverboard Simulator - Hover Board Boonk Gang Race Hack Free Resources Generator

What is meant by, “Shifting left” in security?

SOLCIAL OFFERS DATA PRIVACY

(5/8/21) Rari Capital Exploit Timeline & Analysis

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mohomed arfath

mohomed arfath

Associate security Engineer At Hsenid mobile

More from Medium

Diabolic Summons — A Flash Fiction

Evolve (Blake pt. 2)

Encryption is not equal to encryption, but who has the keys?

Baron’s Corner