Sign in

Tryhackme — HackPark writeup (Windows)

HackPark

We began the scan with AutoRecon tool

Nmap Result

Upon accessing port 80, it present us with the page below:

We then saved the clown image to our local machine and do reverse image search. And found that the clown name are pennywise.

During the enumeration, we found a url that lead us to an admin page:

Next, we can attempt to find the user manually after failed to login with weak username and password:

And we finally found a user by looking at the response:

Using Hydra to brute-force a login

Firstly we need to intercept the request by simulate a login, we can use Burp for this:

Now we have the URL and request body, the other thing we need is the error message for failed login, and we found that it is ‘Login Failed’:

Now we are ready to craft our hydra command after everything is ready:

hydra -l admin -P /usr/share/wordlists/rockyou.txt IP http-post-form ‘/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=VQKZ8ULScEvRWUJ0ZSo05N9nyc1PcAd9MYapHMwN9nUEC0YNdcMBc4MwPLtaGx2yLx6Guj3UljINXMAxj2kmyg4FjNwF7+QX/FcgoUlkIYX33mrvZ0F1V1TuqL1qdLibWSWOQo6aVW/Pz2W3V1baQ84/fN44QXHaaW557bJtG/fQhz26&__EVENTVALIDATION=9ZAQ8taCvbqXrKOhXXsQEYUbo80bDOAwsAjl66e3EbpBu048iZ6HD78Df+Zgujq2XC/hCiULbXup4ob9mEvjkKAJaj3lO/INcS57iPPBfCrouDrbeNqDyGK7NG78C6igmF6p5s73PW7VPSSYJ3LwbInXGqzvRJUUhefTS3dMGmCc1s/n&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Log in:Login Failed’ -vV

And we managed to bruteforce the password:

Compromise the system

Now we are able to login to BlogEngine with the credential. But before login in to admin page, the version of BlogEngine is already identified:

If we look at searchsploit, there are quite a few exploits and CVE:

The one we will be using are 47011.py.

Firstly, this exploit will attempt to login with a valid credential, the account should have permissions to Edit Posts, upload a .ascx extension malicious file through /api/upload?action=filemgr. Then, with a listener started, attacker will able to trigger the exploit at http://IP/?theme=../../App_Data/files

Another vulnerable URL:

http://IP/admin/app/editor/editpost.cshtml

By using the public exploit, we are able to gain access to the system as ‘iis apppool\blog’.

This is a path traversal vulnerability leading to remote code execution. This vulnerability affects BlogEngine.NET versions 3.3.6 and below. This is caused by an unchecked “theme” parameter that is used to override the default theme for rendering blog pages.

Windows Privilege Escalation

Once we are in, we will do basic enumeration like checking the running services. We then found some abnormal binary is running:

Message.exe

This file is located at C:\Program Files (x86)\SystemScheduler\

And this is related to a Windows service name called WindowsScheduler.

We found that we are able to replace the binary by checking the permission:

By replacing the binary with our payload, we got Administrator!

Privilege Escalation without Metasploit

For privilege escalation without Metasploit, we can generate windows/shell_reverse_tcp shell instead of Meterpreter. This shell can be more stable than the netcat from time to time.

Tip: It’s common to find C:\Windows\Temp is world writable!

WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Tip: You can execute these files by using .\filename.exe

Using winPeas, the Original Install time was:

8/3/2019, 10:43:23 AM

Be happy, always