# Ice ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDejl-f0bs5fV9Qchw%2F-MdDev4V_TgpZn5n5x-8%2Fimage.png?alt=media\&token=eed03c01-ec6b-40ea-8c2c-e1f5e3677f61) ## Recon Lets run some nmap scan to find open ports and services ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDff6YxNyzkJ9byjAx%2F-MdDg0OUWa-POqHWH_Iv%2Fimage.png?alt=media\&token=9eb343f7-93d2-474b-a182-2640f8a7aca7) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDff6YxNyzkJ9byjAx%2F-MdDg3lBateP1SCgWSGb%2Fimage.png?alt=media\&token=1b046122-88e3-4c7a-a15b-44eb65f9b06c) ![Specifying port 8000 as mentioned in the instructions in the room](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDgWSLCKGeMNqumnx2%2F-MdDhcZKo7DwEi2PyQCg%2Fimage.png?alt=media\&token=c2e7666e-7f08-4e04-9f7d-4ca424949360) The hostname is Dark-PC as we can see in the nmap scan ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDgWSLCKGeMNqumnx2%2F-MdDglMnkKKoOahdq93C%2Fimage.png?alt=media\&token=506406ee-694d-4e29-abce-bcaab4137ba4) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDgWSLCKGeMNqumnx2%2F-MdDhnu_4fR7u5C96EPH%2Fimage.png?alt=media\&token=46233f85-8570-43d1-89d1-1c3fec2f3ad2) ## Gain Access The type of vulnerability can be found on CVE Details ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDhpnAYjVR54msLpFw%2F-MdDiTehVz4hVLX7PLmV%2Fimage.png?alt=media\&token=4e7a78e3-3604-4c7b-a31f-6ea2479e0d68) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDipC4JkGOboZpf_ST%2Fimage.png?alt=media\&token=6f8f4e2d-a0ef-431a-a970-6515df894042) We will be using Metasploit to gain access to the machine so lets start Metasploit. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDilhDpcIKRht4TiFE%2Fimage.png?alt=media\&token=319d55ca-54cc-4859-a53c-0e97c7ff6566) Lets search for the vulnerability and set the right options ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDj86e0_dqjWzLBuBh%2Fimage.png?alt=media\&token=765feea4-83bb-46ff-b7b1-751d5ab76d68) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDjGb7D3aU6O7W4qgD%2Fimage.png?alt=media\&token=94363a71-8b97-4047-bba5-1d9670af53d0) Now lets run the exploit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDjLlMclevt5ujHhwC%2Fimage.png?alt=media\&token=98b6e957-8bed-4425-8bfd-f07659956a51) We have a shell on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDjR17XIIMrapJaxHv%2Fimage.png?alt=media\&token=900e0c46-f2ff-4181-b5e3-127c4aca5090) ## Escalate To who we are on the machine and information related to the machine, we can use the sysinfo command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDjgsh4aJPT82PRwds%2Fimage.png?alt=media\&token=5d2983b3-72a7-4d00-902d-0c93c34f107e) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDk2sKZebLvCwXILFz%2Fimage.png?alt=media\&token=24be4e8f-f335-4f74-83ff-f78602ec139b) Lets run the module that will give us exploits that we can use to privilege escalate to a higher privilege user on the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDkgx6HYB4lV0W4vkk%2Fimage.png?alt=media\&token=a773be09-8ad0-4d53-bf53-c042a33adad7) Now lets background this session using the command "**background"** and list the active sessions, then lets select the first exploit we just found and set the session number to the session we just backgrounded using the command "**set sessions 1**" .Now we have to set the right options and run the exploit. Once the command has been run, we can access the machine using the command "**sessions 1**". ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDmhX_H7sN3dUIbPl2%2Fimage.png?alt=media\&token=8beaf300-cd9c-4440-9eae-7b6cfa0bacb7) Now we are in the machine as a higher privilege user, we can check this by using the command "**getprivs**" ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDnB5CfJqKKOc0CkWw%2Fimage.png?alt=media\&token=858557d9-a5d5-4d5b-909a-73c59747ac17) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDnTDJfsZJIrlN47dX%2Fimage.png?alt=media\&token=f1cc9025-787e-4499-957c-1811789440f7) ## Looting Lets now follow the steps in the room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDnuwQrAO4mwG371vf%2Fimage.png?alt=media\&token=1090d822-914b-4615-9987-e22da8c888b7) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDoD6NH9WpTYl34ZI4%2Fimage.png?alt=media\&token=d869e6ad-73d6-4712-9677-3206acd95d4c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDoGMh9xHkqlJj8Ukz%2Fimage.png?alt=media\&token=3f24254d-1412-4566-b5ba-7bbb3c34f132) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDoTXI4uh0bt0OnFTB%2Fimage.png?alt=media\&token=8ac7b2a8-e053-49fb-ae74-5570b5d98889) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDiV_Q1bU7VTPZv4Uw%2F-MdDo_AP0GITVUv6t7J1%2Fimage.png?alt=media\&token=c26e60d4-6949-43a9-ac38-6ac254ffd911) ## Post-Exploitation With the help command we can answer the questions in the this task ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdDobe2a2uiWj7L51uj%2F-MdDpdTebqthfzQcKXLS%2Fimage.png?alt=media\&token=e9e52fd8-52c6-4d38-ad2a-de8f45d431d0)