Ice Room Analysis: Icecast Exploitation, Credential Theft & Detection

  • Cybermap - Ice Room Analysis: Icecast Exploitation, Credential Theft & Detection
  • Reading Time: 4 minutes

šŸ‘ļø

4

People viewed this post

Back to all posts
This Ice Room Analysis covered Icecast Exploitation and Credential Theft

This Ice Room Analysis focused on understanding how attackers move from service discovery to credential theft within a Windows environment. Rather than viewing the exercise purely as an exploitation challenge, I approached it from the perspective of a SOC analyst attempting to understand the complete attack chain and identify potential detection opportunities.

Disclaimer: This analysis was performed within an authorized TryHackMe lab environment for educational and defensive learning purposes. The focus of this write-up is understanding attacker behavior, detection opportunities, and incident response considerations.

By the end of this exercise, the attack path had progressed from reconnaissance to credential access, providing a practical demonstration of several techniques commonly observed during real-world intrusions.

Initial Reconnaissance

The first task involved identifying services exposed by the target machine.

An important challenge appeared immediately. The target did not respond to ICMP requests, meaning traditional host discovery methods would incorrectly classify the system as offline.

To compensate, I used the -Pn option within Nmap, instructing the scanner to treat the host as alive and continue enumeration.

The initial scan revealed several open services:

  • TCP 135 (MSRPC)
  • TCP 139 (NetBIOS)
  • TCP 445 (SMB)
  • TCP 3389 (Remote Desktop Protocol)
  • TCP 8000

Unlike the Blue Room, the most interesting service was not SMB. Port 8000 became the primary focus of the investigation.

Service Enumeration and Icecast Identification

A version detection scan was performed to determine the software running on port 8000.

The scan identified:

Icecast 2.0.1

At this stage, I deliberately avoided searching for exploits immediately. Instead, I focused on understanding the software itself and researching known vulnerabilities associated with the version discovered during enumeration.

This step reinforced an important lesson:

Good investigations begin with understanding the service before searching for exploitation methods.

Vulnerability Research

Research into Icecast 2.0.1 revealed a known vulnerability tracked as:

CVE-2004-1561

The vulnerability carried a significant severity rating and allowed remote code execution under specific conditions.

This phase highlighted a common attacker workflow:

Service Discovery

ā†“

Version Identification

ā†“

Vulnerability Research

ā†“

Exploit Selection

Rather than blindly testing exploits, attackers often identify software versions first and then match them against publicly known vulnerabilities.

Exploitation

Metasploit was used to identify a suitable exploitation module.

The module selected was:

exploit/windows/http/icecast_header

After configuring the required parameters and verifying the listener configuration, the exploit was executed successfully.

A Meterpreter session was returned.

At this point, the system had transitioned from external exposure to active compromise.

Understanding Meterpreter Access

One of the most valuable lessons from this exercise involved understanding what Meterpreter actually represents.

Many beginners view Meterpreter simply as a shell.

In reality, Meterpreter provides a post-exploitation framework that allows attackers to:

  • Gather system information
  • Interact with processes
  • Escalate privileges
  • Access credentials
  • Maintain persistence

Understanding these capabilities is critical for defenders because many post-exploitation activities generate observable telemetry.

System Enumeration

After gaining access, system information was gathered using Meterpreter.

The host was identified as:

DARK-PC

Additional enumeration revealed:

  • Windows 7 Service Pack 1
  • User account context
  • Process architecture
  • Running services

These details became important when selecting privilege escalation techniques.

Privilege Escalation

The next objective involved moving from initial access to elevated permissions.

The local exploit suggester module identified several possible escalation paths. The first suggested technique leveraged a User Account Control bypass.

The selected exploit:

exploit/windows/local/bypassuac_eventvwr

successfully generated a new elevated Meterpreter session.

This phase demonstrated an important concept frequently encountered during investigations:

Initial compromise does not always equal administrative control.

Attackers often require additional steps to elevate privileges before pursuing further objectives.

Process Migration

After privilege escalation, process migration became necessary.

A process running under NT AUTHORITY\SYSTEM was selected for migration.

The target process was:

spoolsv.exe

The Windows Print Spooler service provided a stable location for the Meterpreter session.

From an attacker perspective, process migration improves reliability and survivability.

From a defender perspective, process migration can generate suspicious activity that may be visible through endpoint telemetry and Sysmon logging.

Credential Theft

The most important stage of this Ice Room Analysis involved Credential Theft.

After migrating into a suitable SYSTEM process, Kiwi (the updated version of Mimikatz) was loaded into memory.

This allowed access to credential material stored by Windows.

Using Kiwi, credentials were extracted directly from memory.

One particularly important observation was that credentials could be recovered even when the user was not actively logged into the system.

Scheduled tasks and service configurations had left usable authentication material available in memory.

This reinforces a critical security lesson:

Attackers frequently target credentials after gaining administrative access because credentials enable persistence, lateral movement, and expansion throughout an environment.

Detection Opportunities

Several high-value detection opportunities appeared throughout the attack chain.

Network Activity

  • Nmap scanning activity
  • Service enumeration
  • Port 8000 targeting

Execution Activity

  • Icecast exploitation
  • Meterpreter payload execution
  • New process creation

Privilege Escalation

  • UAC bypass behaviour
  • Event Viewer abuse
  • Elevated process creation

Credential Access

  • Memory access operations
  • Credential dumping activity
  • LSASS-related interactions

Process Migration

  • Process injection behaviour
  • Unexpected access to SYSTEM processes

These activities represent valuable hunting opportunities for SOC analysts and defenders.

Challenges Encountered

One challenge involved understanding why port 8000 was more significant than SMB during this investigation.

My initial instinct was to focus on familiar Windows services such as SMB and RDP.

However, careful service enumeration revealed that Icecast represented the true attack surface.

Another challenge involved understanding process migration.

Initially, it appeared to be an unnecessary step.

Further investigation revealed that migration serves practical purposes such as stability, persistence, and privilege alignment.

Understanding the reasoning behind attacker actions proved significantly more valuable than simply executing commands.

Incident Report Notes

Executive Summary

The target system exposed a vulnerable Icecast service on TCP 8000. Service enumeration identified Icecast 2.0.1, which was vulnerable to CVE-2004-1561. Successful exploitation resulted in Meterpreter access, privilege escalation through UAC bypass, process migration into a SYSTEM process, and successful credential extraction using Kiwi.

Initial Access

  • Icecast service discovery
  • Vulnerability identification
  • Remote exploitation

Execution

  • Meterpreter payload deployment
  • Remote command execution

Privilege Escalation

  • UAC bypass
  • Elevated session creation

Credential Access

  • Kiwi deployment
  • Memory credential extraction

Recommendations

  • Remove unsupported software versions
  • Apply security updates promptly
  • Monitor privilege escalation attempts
  • Detect credential dumping behaviour
  • Restrict unnecessary services
  • Enable enhanced endpoint logging

Final Thoughts

This Ice Room Analysis demonstrated how a seemingly insignificant service can become the entry point for a complete system compromise.

The most valuable lesson was not the exploitation itself. The most valuable lesson was understanding how attackers transition from initial access to Credential Theft through privilege escalation and process migration.

For defenders, each stage of this attack chain generates opportunities for detection, investigation, and response.

Understanding those opportunities will become increasingly important when analysing Sysmon telemetry, investigating incidents, and building effective detection strategies.

View the lab write-ups that made me try out this room: Windows Endpoint Investigation with Sysmon

Visit my everyday Cyber Playground

  • Related post tags:

Enjoyed this?

Explore more intriguing topics and take a look at my cybermap for more.

Explore Lab & Incidents

Ā© 2026 Favour Gabriel. All rights reserved.