This is Day 6 of my 365 Days, 365 CTF Room challenge. Today, we're diving into the "ICE" room on tryhackme β A window machine with very poorly secured media severs.
Room Link β TryHackMe | ICE
Target IP β 10.10.144.114
Step 1: Initial Enumeration
I have initiated enumeration using Nmap to identify the ports and services running on the target machine.
We got 12 open ports on the target machine. In all this ports 2 ports are very interesting and can provide us access if vulnerable.
- 3389 β Microsoft RDP Server
- 8000 β Icecast Server
Step 2: Getting Initial Access with Icecast Server
I Search in the google for the possible vulnerabilities in the Icecast server and I found this.
A buffer overflow in the Icecast server was discovered, enabling attackers to execute arbitrary code through an HTTP request. I launched the Metasploit framework to exploit this vulnerability.
so now we have found the exploit we can view the options that are required to change before running. we can view those by command called "options".
we have to change the "RHOSTS" with the target IP and change the "LHOST" with the tun0 and run the exploit to get the initial access to the machine.
Let's go! π₯ We've successfully gained initial access through the exploit, and now we can proceed toward achieving root access on our Windows machine.
Step 3: Privilege Escalation to get Root Access
we have too first background the current meterpreter shell with the bg command and run the local exploit suggester module from Metasploit framework to get an exploit suggestion to get the root access.
we can view the options that are needed to be changed before running the exploit like "Session".
After setting the session to 1, we can execute our exploit tool, will recommend an exploit that may assist in obtaining root-level privileges on our Windows machine.
The second exploit appears to be interesting and could prove useful for exploiting the Windows machine Let us proceed with the following command.
Command β use exploit/windows/local/bypassuac_eventvwr
let's check the options that are required to change.
we have to change the LHOST to tun0 and Session to 1, and run the exploit.
now we can check for the available permission that allows us to take the ownership of file
Before interacting with the LSASS service (responsible for authentication on Windows), we need to migrate to a process with the necessary privileges. Although we have escalated permissions, our current process does not. We can list all running processes using the ps command and identify one running as NT AUTHORITY\SYSTEM to migrate into.
To interact with LSASS, we must migrate into a process with the same architecture (x64) and privilege level. The Print Spooler service fits these requirements well β it runs as NT AUTHORITY\SYSTEM, is 64-bit, and safely restarts if crashed.
"Living in" a process refers to injecting a malicious DLL into a legitimate process and spawning a new thread to host our shell. This technique helps maintain stealth and access.
Boom π we got the root level access of our windows machine
With full administrator access, it's time for credential dumping. We use Mimikatz, a well-known post-exploitation tool, integrated into Meterpreter as Kiwi. Load it with:
Command β load kiwi
we can now check the available options with the help command.
The "creds_all" command seems interesting; let's see if it can retrieve the DARK-PC password, allowing us to log in anytime to this PC since it has the Microsoft RDP service running.
Step 4: POST-Exploitation
in the post exploitation process we can dump the hash of all the user in this window machine with the command hashdump.
More things can be done in post exploitation process that include:
we can do even more with the meterpreter that can be checked with the help command
Thank you π
π Try it Yourself! Go to TryHackMe and give this room a try. β Practice daily β Learn something new