Now that we know the architecture of the process, let’s perform some further recon. First, what is the architecture of the process we’re running? ![]() Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. What user was running that Icecast process? Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now? Now that we have everything ready to go, let’s run our exploit using the command `exploit` With that done, let’s set that last option to our target IP. What is the only required setting which currently is blank?įirst let’s check that the LHOST option is set to our tun0 IP (which can be found on the access page). Type either the command `use icecast` or `use 0` to select our search result.įollowing selecting our module, we now have to check what options we have to set. Let’s go ahead and select this module for use. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘ RP: Metasploit‘ which is recommended to be completed prior to this room, although not entirely necessary. Let’s go ahead and start Metasploit using the command `msfconsole`Īfter Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. For this section of the room, we’ll use the Metasploit module associated with this exploit. Now that we’ve found our vulnerability, let’s find our exploit. What is the CVE number for this vulnerability? What type of vulnerability is it? Use for this question and the next. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. ![]() What does Nmap identify as the hostname of the machine? (All caps for the answer) What service did nmap identify as running on port 8000? (First word of this service) One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. Once the scan completes, we’ll see a number of interesting ports open on this machine. Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |