Today we will be looking at ice from TryHackMe. Ice is a public room anyone can exploit the machine. This is easy machine but there is an interesting vulnerability “Icecast”. It can attract everyone’s attention.
- There are 7 tasks need to solve. Connect, Recon, Gain Acess, Escalate, Looting, Post-Exploitation, Extra Credit!
- There is an open port on machine 8000/tcp Icecast.
- There are two important open ports on machine 139 and 445.
- Scan vuln : CVE-2007–6750 streaming media server.
- Scan vuln: CVE-2017–0143 Risk factor : High.
- There is an important vulnerable Icecast 2.0.1 streaming media server inside system.
- There is an important vulnerable eternal blue inside system.
- There are no flags anywhere.
Let’s start with this machine.
Task 1 : Connect
Connect to the TryHackme vpn server and deploy the box.
They told what to do.
Keep following this part.
Task 2 : Recon
I’m going to answer the questions asked to me one by one.
The “ice” machine IP is 10.10.62.158
We are going to apply the usual methodology of penetration testing as we have applied before. Let’s start with enumeration learn as much about the machine as possible.
We are going to start with the nmap scan to gather more information about the services and version running on this machine.
nmap -T4 -A -p- <targetip>
As we can see port 8000/tcp icecast streaming media server. If you ask what it means, Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
#4 ans : We can see what the open 8000/tcp port is. Icecast
#5 ans : We can see that the hostname is DARK-PC.
nmap -sS <targetip>
#3 ans: 3389/tcp ms-wbt-server.
nmap -T4 -A -p- --script 10.10.62.158 -vv
Task 3 : Gain Acess
We going to cvedetails.com and find vulnerability details.
We have go to research this vulnerable.
#1, #2 ans:
We found it, there is an important vulnerability and exploit Icecast 2.0.1.
We can see CVE-2004–1561 and execute code overflow.
While doing this, we get help from the search in metasploit.
We can learn do search which exploit to use by searching.
#5 ans : We can see “rhosts”.
Task 4 : Escalate
nmap rhosts <target ip>
background or ctrl + z
#1, #2, #3, #4 : We can see all system information with the sysinfo command.
It is requested to use the post/multi/recon/local_exploit_suggester.
set lhost tun0
It is requested to use the exploit/windows/local/bypassuac_evetvwr.
#4 We can see owership file. SeTakeOwnershipPrivilege.
Task 5 : Looting
migrate -N spoolsv.exe
#1, #2, # 3 , #4, # 5, #6 ans :
#7, #8 ans :
We got the admin password.
Task 6 : Post-Exploitation
I don’t need to explain these.
Task 7 : Extra Credit!
Exploit link : https://www.exploit-db.com/exploits/568
I took a screenshot for you from the computer I accessed.
Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!