Ice
https://tryhackme.com/room/ice
Foothold
First of all, let's start with port enumeration.
We see there are a few open ports. Let's check the HTTP ones.
Nothing interesting. Let's head to port 8000.
We saw in the nmap scan that port 8000 is running an Icecast streaming service. And by the name of the room we guess that's the path to follow.
(For some reason the tryhackme box went down so I had to restart it again)
We could try manual explotation using this exploits:
But we're going to use metasploit for this one, it'll save us a lot of time.
Fire up mfsconsole and search for an icecast exploit.
Let's change the options.
Run the exploit.
Easy. We're in (Sometimes you need to execute it a few times for it to work).
Now that we are in the system we have to elevate privileges. We can use the exploit suggester:
Let's change the session. In our case it'll be session 1.
We see we can use a few exploits. Let's try the first one: bypassuac_eventvwr
Let's change options and run it.
It worked. Now we have the SeTakeOwnershipPrivilege (You chan check it with getprivs). So now we have to take a look to the running processes and migrate to one of them that's using the "NT AUTHORITY\SYSTEM" user.
Let's use migrate -N NAME_OF_THE_PROCESS to migrate.
Now we can loot whatever we want using Mimikatz or the meterpreter shell.
Last updated
Was this helpful?