Ice (THM)
!!!!!!!redo with buffer overflow exploit
TryHackMe – Ice Write-Up
topics: Vulnerability scanning, Public exploits, Windows Privilege Escalation, Post-Exploitation, Cracking hashes
Plan
Enumeration
System Privilege Escalation (Exploitation)
Locating Admin Credentials
new tools: mimikatz, certutil
tools: nmapAutomator, dirsearch, python, nc, RDP, hashes.com, gobuster
Plan
This room is a walkthrough and uses metasploit. I will not be following the walkthrough nor using metasploit.
Enumeration
Initial nmap scan ./nmapAutomator.sh $ip Basic
Many potential attack vectors here. We have port 135 msrpc (Microsoft remote procedure call) open used for when a host wants to connect to a RPC service, port 139 and 445 are open running SMB, used for file sharing. We also have two ports running http lets dirsearch
and gobuster
those first before inspecting other attack vectors.
python3 dirsearch.py -u $ip -e php,html,txt
Navigating to /status.xsl confirms the platform the website is using is Icecast
gobuster dir -u http://10.10.154.230/secret -w /usr/share/dirb/wordlists/common.txt
There are many visible and hidden subdirectories on these two ports, however there is nothing of value upon initial inspection other than the website on port 8000 is running the Icecast service. Lets enumerate port 135, 139 and 445 next.
We can run a Samba scan using nmap: nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>