Ice
This is a room by TryHackMe located at: https://tryhackme.com/room/ice
Recon (30 min):
I started this room my running an nmap scan (this was from the hint from the room):
I then got this output for it after 14 minutes:
For the nmap, I would recommend using something like:
The reason for this is that with this, you would get more information about the software running than just the names of the services.
QUESTION: What port is this open on?
3389
QUESTION: What service did nmap identify as running on port 8000? (First word of this service)
Icecast
QUESTION: What does Nmap identify as the hostname of the machine? (All caps for the answer)
DARK-PC
Gain Access (20 min)
I noticed that there was an image of the icecast system on the Gain Access tab.
I assumed that this would be the vulnerable service I had to get into. I ran another nmap scan, this time only catered towards the port the icecast service was running on:
I then got the following result:
I thought for some reason that I would get a different result, however I was wrong. I decided then to visit the site itself to see if there was anything on there for me to see. I was not able to access the website, maybe they have no webserver for the port. I then searched up CVEs related to Icecast, the service running on port 3389. The hint states that it would have a score of 7.5 or 7.4.
I then entered in all of the Vulnerability types that I assumed were correct. After I was unsuccessful, I then looked into the hint, and then I was still unable to solve it. I then realized that the "Exec" in "Exec Code Overflow" stood for "Execute" and no "Execution". That is how I solved the first question for this section.
What type of vulnerability is it?
Execute Code Overflow
What is the CVE number for this vulnerability?
CVE-2004-1561
What is the full path (starting with exploit) for the exploitation module?
exploit/windows/http/icecast_header
What is the only required setting which currently is blank?
RHOSTS
I then changed the LHOST to be my own IP given to me by TryHackMe. This was my options for the exploit:
After I ran "exploit", I then got a meterpreter shell:
Escalate (30 min)
For the following, it is straight forward questions, so I did not go super deep into how to answer the question.
Woohoo! We've gained a foothold into our victim machine! What's the name of the shell we have now?
meterpreter
What user was running that Icecast process ?
Dark
What build of Windows is the system?
7601
First, what is the architecture of the process we're running?
x64
What is the full path (starting with exploit/) for the first returned exploit?
exploit/windows/local/bypassuac_eventvwr
After this, I then changed my payload to be for bypassing uac:
We'll have to set one more as our listener IP isn't correct. What is the name of this option?
LHOST
I then ran run and the exploit was successful:
Running "getprivs" on the second session got me:
This helped me answer the question.
We can now verify that we have expanded permissions using the command getprivs
. What permission listed allows us to take ownership of files?
SeTakeOwnershipPrivilege
Looting (10 min)
I then ran 'ps' to see the current processes on the room. This was my result:
I then had to find a printer program for the next question. I was able to find it using the hint.
The printer spool service happens to meet our needs perfectly for this and it'll restart if we crash it! What's the name of the printer service?
spoolsv.exe
As suggested by the room, I then ran the following command:
This was my result from that:
Let's check what user we are now with the command getuid
. What user is listed?
NT AUTHORITY\SYSTEM
I then installed Mimikatz on the machine using the following command:
Which command allows up to retrieve all credentials?
creds_all
I then ran this command, and got the following information:
Here we can see the answer to the next question.
Run this command now. What is Dark's password?
Password01!
Post-Exploitation (10 min)
What command allows us to dump all of the password hashes stored on the system?
hashdump
While more useful when interacting with a machine being used, what command allows us to watch the remote user's desktop in real time?
screenshare
How about if we wanted to record from a microphone attached to the system?
record_mic
To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this?
Timestomp
Mimikatz allows us to create what's called a golden ticket
, allowing us to authenticate anywhere with ease. What command allows us to do this?
golden_ticket_create
The room is now complete! Overall, it was a good room to learn beginner Windows attacks.
Last updated