TryHackMe ICE ROOM WALKTHROUGH – Exploiting Windows & Privilege Escalation

This is a tutorial/walkthrough of the Ice room on TryHackMe.

Recon

First we want to do a SYN scan against all ports using nmap:

This brings back quite a few responses but we’ll need some more information about what services are running on these open ports. Let’s do a service scan:

Now, we have some more information and a decent idea of where we might look: Icecast (hence the name of the room Ice, perhaps?). We also find the answer for question 3: One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is it open on?

3389

We can also see, as mentioned earlier, that we have Icecast running. The next question asks us what service nmap identified on port 8000?

Icecast

And, lastly, we have the question: What does Nmap identify as the hostname of the machine?

DARK-PC

Gaining Access

Now that we have identified Icecast as being of particular interest, we need to do some research to find out any vulnerabilities. We can consult cve details for more information:

Here we can find the answers for questions 1 and 2:

Execute Code Overflow

CVE-2004-1561

Now that we have identified a vulnerability, it’s time to get into Metasploit and see if we can exploit it. We are going to be using the icecast_header exploit which is located at: exploit/windows/http/icecast_header as seen in the picture below:

Next we will see what options are required:

We need to set the required RHOSTS and replace our LHOST with the tun0 interface. Then we are ready to exploit and hopefully receive a meterpreter session:

Success! Now that we have established a session, it’s time to begin the escalation process.

Escalation

Let’s use our session to get a little bit more information about who we are in relation to the victim machine:

Great, so here we get some answers to the next few questions.

meterpreter

Dark

7601

x64

Now it’s time to see if there are any local exploits we might be able to use to gain some more privileges. We use the suggested command and find an exploit that might work:

For some reason this was the only result I got. Checking the hint on the next question gave me a clue and so I did a google search for “metasploit eventvwr” and found this result from rapid7:

From here, I went back to my metasploit console and put the current meterpreter session into the background using “ctrl+z”. I then select the exploit we found above and show the options for it:

So, from here, we can see that we need to set the Session (in our case it was 1, which was the meterpreter session we put in the background previously) and we will need to update our LHOST with the tun0 address. Now we are ready to exploit:

Let’s check what privileges we have and get the answer to the last question in this section:

So, we see here that we have the privilege to take ownership. This should be useful!

Looting

Let’s see what processes we have running:

There a ton, but one that is of particular interest to us is the spoolsv.exe which is the printer spool service and has the same permissions as lsass. This service also restarts after being stopped. Let’s migrate to it and then use getuid to see if we take over the NT AUTHORITY\SYSTEM user:

Now we can use Mimikatz (Kiwi) to get a dump of all the credentials:

And we find our answer for the last question in this section (I’ve blurred it out).

For more interesting reading, feel free to check out my previous blog posts: ROOTME WALKTHROUGH – TRYHACKME.COM – CTF FOR BEGINNERS and SETTING UP AN UBUNTU LINUX VIRTUAL MACHINE – WALKTHROUGH AND TUTORIAL

Please, feel free to reach out to me through my contact page on this website!

Thank you for taking the time to read my blog and I look forward to hearing from you!

Leave a Reply

Your email address will not be published.