Tryhackme-ice

ice

文章目录

ice
- Task1 Connect
- Task2 Recon
- Task3 Gain Access
- Task4 Escalate
- Task5 Looting
- Task6 Post-Exploitation
- Task7 Extra Credit
- Task7 Extra Credit

Task1 Connect

1.Connect to our network using OpenVPN. Here is a mini walkthrough of connecting:

Go to your access page and download your configuration file.

2.Use an OpenVPN client to connect. In my example I am on Linux, on the access page we have a windows tutorial.****

When you run this you see lots of text, at the end it will say Initialization Sequence Completed

3.You can verify you are connected by looking on your access page. Refresh the page

You should see a green tick next to Connected. It will also show you your internal IP address

You are now ready to use our machines on our network!

4.Now when you deploy material, you will see an internal IP address of your Virtual Machine.

Task2 Recon

1.Deploy the machine! This may take up to three minutes to start

2.Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine. The scan command will be provided as a hint, however, it’s recommended to complete the room ‘Nmap’ prior to this room.

3.Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?

3389

4.What service did nmap identify as running on port 8000? (First word of this service)

icecast

5.What does Nmap identify as the hostname of the machine? (All caps for the answer)

DARK-PC

Task3 Gain Access

1.Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.

Execute CodeOverflow

CVE-2004-1561 : Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with (cvedetails.com)

2.What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000

CVE-2004-1561

3.Now that we’ve found our vulnerability, let’s find our exploit. For this section of the room, we’ll use the Metasploit module associated with this exploit. Let’s go ahead and start Metasploit using the command msfconsole

4.After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.

exploit/windows/http/icecast_header

5.Let’s go ahead and select this module for use. Type either the command use icecast or use 0 to select our search result

6.Following selecting our module, we now have to check what options we have to set. Run the command show options. What is the only required setting which currently is blank?

7.First let’s check that the LHOST option is set to our tun0 IP (which can be found on the access page). With that done, let’s set that last option to our target IP. Now that we have everything ready to go, let’s run our exploit using the command exploit

Task4 Escalate

1.Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?

meterpreter

2.What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room

Dark

3.What build of Windows is the system?

7601

4.Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?

X64

5.Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete

exploit/windows/local/bypassuac_eventvwr

6.Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?

7.Now that we have an exploit in mind for elevating our privileges, let’s background our current session using the command background or CTRL + z. Take note of what session number we have, this will likely be 1 in this case. We can list all of our active sessions using the command sessions when outside of the meterpreter shell.

8.Go ahead and select our previously found local exploit for use using the command use FULL_PATH_FOR_EXPLOIT

9.Local exploits require a session to be selected (something we can verify with the command show options), set this now using the command set session SESSION_NUMBER

10.Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?

11.Set this option now. You might have to check your IP on the TryHackMe network using the command ip addr

12.After we’ve set this last option, we can now run our privilege escalation exploit. Run this now using the command run. Note, this might take a few attempts and you may need to relaunch the box and exploit the service in the case that this fails.

13.Following completion of the privilege escalation a new session will be opened. Interact with it now using the command sessions SESSION_NUMBER

14.We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?

SeTakeOwnershipPrivilege

Task5 Looting

1.Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let’s list the processes using the command ps. Note, we can see processes being run by NT AUTHORITY\SYSTEM as we have escalated permissions (even though our process doesn’t).

2.In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?

Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.

spoolsv.exe

3.Migrate to this process now with the command `migrate -N PROCESS_NAME

4.Let’s check what user we are now with the command getuid. What user is listed?

NT AUTHORITY\SYSTEM

5.Now that we’ve made our way to full administrator permissions we’ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command load kiwi (Kiwi is the updated version of Mimikatz)

6.Loading kiwi into our meterpreter session will expand our help menu, take a look at the newly added section of the help menu now via the command help.

7.Which command allows up to retrieve all credentials?

creds_all

8.Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box

Tryhackme-ice相关推荐

ICE BOX 配置，使用----第一篇
一理论部分 (1) 为什么要使用icebox? icebox server代替了通常的server. icebox是为了方便集中管理多个ice服务而建立的. 它通过使用icebox服务器,把ice服 ...
英特尔第三代 Ice Lake 发布正面与 AMD EPYC PK，结果令人大跌眼镜！
作者 | 夕颜出品 | AI科技大本营(ID:rgznai100) 导读:传闻已久的第三代英特尔至强可扩展处理器,终于在北京风光最美的4月份发布了. 北京时间4月7日晚,在著名的网红打卡地,百年老首 ...
ICE专题：ICE起步
ICE初步最早开始接触ICE是在2005,3月份,当时一个朋友向另一个正打算研究corba的朋友强烈的推荐了ICE. 参考:http://www.zeroc.com/ 1.什么是ICE? ICE(i ...
模型的可解释性：部分依赖图PDP和个体条件期望图ICE
来源:Deephub Imba 本文约1800字,建议阅读5分钟本文我们通过一个简单据集的回归示例了解了部分依赖图 (PDP) 和个体条件期望 (ICE) 图是什么,以及如何在 Python 中制作 ...
配置C++和C#开发ICE环境
2019独角兽企业重金招聘Python工程师标准>>> C++配置环境 1.设置编译工具路径和配置编译命令: #编译命令,如果有多个文件就执行多次slice2cpp.exe命令 se ...
Ice “Hello World”的实现
2019独角兽企业重金招聘Python工程师标准>>> Ice简介: Ice (Internet Communications Engine),是一种面向对象的中间件平台,既然是平台 ...
ZeroC ICE java异步实现方式（ami/amd）
首先说说ami 和amd 的区别(以下为个人见解,仅供参考.如有疑问欢迎提出来) ami (异步方法调用): 仅仅基于ice 的同步方式扩展了异步的扩展方式,其他理念改动不大,使用起来好理解,但是服务 ...
谈谈自己对REST、SOA、SOAP、RPC、ICE、ESB、BPM知识汇总及理解
2019独角兽企业重金招聘Python工程师标准>>> SOA: 维基百科解释:SOA:面向服务的软件架构(Service Oriented Architecture),是一种计算机 ...
The Ice::Current Object
The Ice::Current Object 服务器端Servant骨架方法(skeleton operation)都有一个Ice::Current类型的参数,这个对象定义如下: module Ic ...
zeroc ice php,ZeroC ICE+PHP整合
最近为了作分布式框架的技术选型,特意研究了多个分布式框架,恰好研究了Zeroc Ice 框架,特意记录以便后续查阅php 本文主要介绍win环境下PHP与ICE 环境的整合apache 首先咱们须要确 ...