ICE-Tryhackme Machine
This machine is easy to tryhackme in difficulty.
Step 1
The first step to start this machine, as in most, is to perform an nmap to see the ports it has open.
To perform the scan we will need the nmap tool and the IP of the machine to attack.
Step 2
Once the scan is finished we see the versions and programs that the Windows machine uses in this case. Searching in cvedetails we found a vulnerability in icecast with a score of 7.5.
This vulnerability is a code execution overflow.
Step 3
Once the previous vulnerability is found, we will search in metasploit for an exploit for that vulnerability, to do this we will use the “msfconsole” command.
We found an exploit with that vulnerability with a very good range.
Step 4
Now that we have found the exploit we mark it and see what parameters it needs for the exploit to work (use 0 to select the exploit and info to see the necessary parameters).
We put the Rhosts ip (set rhosts “ip”) of the machine to attack (10.10.42.252 in my case) and we exploit.
Step 5
Once the machine has been exploited, we have gained access to the machine. Once access has been gained, the first step is to locate the user with whom we have obtained a shell.
Then we will have to see what Windows we have, version and architecture.
Step 6
Now that we know the architecture of Windows, we use the command ‘run post/multi/recon/local_exploit_suggester’ to see if it is vulnerable.
We see how it has found vulnerability in exploit/windows/local/bypassuac_eventvwr with 41 different exploits to compromise the machine.
Step 7
To use these exploits we need to have the shell in the background.
Once we have it in the background we look for the exploit found previously in msfconsole ‘use exploit/windows/local/bypassuac_eventvwr’
Now we will have to configure the LHOST for the exploit to work correctly.
Step 8
With the ‘getprivs’ command we have the list of permissions we have, we can see how we have permissions on the files.
Step 9
We look at the processes to see if there is a process to generate a shell with the system user (with the ps command).
We find the spoolsv.exe process, to change from shell to system we will have to migrate with the command ‘migrate -N PID’
Step 10
We load kiwi (updated version of mimikatz) to download passwords, we look at the options it has using the help command.
We run the ‘creds_all’ command to steal all the passwords from memory.
Step 11
In the help menu we can see different commands:
With the hashdump command we see all the hashes on the machine.
With the ‘screenshare’ command we can see the attacked machine live.
With the ‘record_mic’ command we can record from the microphone of the attacked machine.
With the ‘timestomp’ command we can modify the timestamps of system files.
With the ‘golden_ticket_create’ command it allows us to perform golden attacks with which we can maintain persistence and authenticate as any user of the domain.
Step 12
With this we have finished making the tryhackme ICE machine.
I hope it has been helpful to you :D. Argibeltza 10/20/2023