TryHackMe – HackPark Walkthrough
Introduction
This was a fairly easy Windows machine that involved bruteforcing credentials to authenticate into the BlogEngine web application, exploiting a remote code execution vulnerability affecting it to gain remote access and an insecure service file permission vulnerability in the Splinterware System Scheduler application to escalate privileges to SYSTEM.
Bruteforcing
Accessing the web application:
Found a log in button in the right-hand side menu:
Attempting an authentication to check the message that appears for unsuccessful logins, to use it later on with Hydra:
Intercepting the authentication request with burp to check the parameters being used:
Using hydra to bruteforce the password, using the following flags:
- -f to stop the attack when a valid password is found
- -l to specify the username for the bruteforce attack
- -P to specify the wordlist to use for the bruteforce
- http-post-form to specify the URL including all of the parameters used in the request, such as the username, password and the failed authentication message
It looks like a valid password of 1qaz2wsx was identified by Hydra.
Compromising the Machine
Authenticating into the application:
Navigating to the “About” page to identify the version of BlogEngine use, which is 3.3.6.0
Using SearchSploit to identify vulnerabilities in BlogEngine 3.3.6:
Mirroring the exploit and identifying its CVE:
Checking the instructions required to exploit the vulnerability:
- Amending the local IP address and port in the exploit
- Renaming the exploit to PostView.ascx
- Uploading the exploit through BlogEngine’s file manager
- Setting up a Netcat listener on the local Kali host
- Accessing the .cshtml shell from a browser to connect to the reverse shell
Updating the IP address and port in the exploit:
Clicking on published posts from the BlogEngine dahboard:
Clicking on the “Welcome to HackPark” post”:
Accessing the file manager by clicking on the folder icon in the toolbar:
Uploading the PostView.ascx file through the UPLOAD button in the file manager:
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Navigating to the URL indicated in the exploit instructions:
Received a callback, which has granted a reverse shell as the “iis apppool” user:
Privilege Escalation without Metasploit
The next exercise required a meterpreter shell to be established. The first step is to generate some shellcode using MSFvenom with the following flags:
- -p to specify the payload type, in this case the Windows Meterpreter TCP reverse shell
- -a to specify the architecture, in this case x86
- –encoder to specify the encoder to be used for the shellcode, in this case shikata_ga_nai
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format to be used for the shell, in this case exe
- -o to specify the output, in this case shell.exe
Setting up a Python Simple HTTP server to host the Meterpreter shell:
Navigating to /windows/temp to download it and execute it. Using the Windows Certutil utility to download it:
Starting MSFconsole, selecting the multi handler module, setting and running the exploit:
- payload to specify the payload type, in this case the Java reverse shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
Executing the shell from the target host – a Meterpreter shell is now open:
Executing the Meterpreter sysinfo command to check the architecture of the target host:
Uploading the WinPEAS enumeration executable using the Meterpreter upload command:
Dropping into a normally CMD shell and executing WinPEAS:
Identified a service with poor service file permissions in place (SystemScheduler), this could be used to escalate privileges:
Navigating to the installation directory of SystemScheduler:
Listing the files in the current directory and navigating to the Events folder, which looks unusual:
Based on the log file, it looks like Message.exe runs every 30 seconds:
The next step is to generate some shellcode using MSFvenom with the following flags:
- -p to specify the payload type, in this case the Windows Meterpreter TCP reverse shell
- –encoder to specify the encoder to be used for the shellcode, in this case shikata_ga_nai
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format to be used for the shell, in this case exe
Renaming Message.exe and replacing it with the malicious Message.exe previously created:
Backgrounding the current session, selecting the multi handler module, setting and running the exploit:
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
Once the system runs the Message.exe file, a callback is received as the Administrator user:
Privilege Escalation with Metasploit
Generating some shellcode using MSFvenom with the following flags:
- -p to specify the payload type, in this case the Windows TCP reverse shell
- –encoder to specify the encoder to be used for the shellcode, in this case shikata_ga_nai
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format to be used for the shell, in this case exe
Hosting it on the Kali host using the Python Simple HTTP Server and downloading it from the target host using Certutil:
Renaming Message.exe and replacing it with the malicious Message.exe previously created:
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Once the system runs the Message.exe file, a callback is received as the Administrator user:
The original system installation date can be viewed using the systeminfo command.
Conclusion
This was a really fun box overall – the techniques required to exploit it are not too advanced although there is a good variety of vectors being used which is great (brute-forcing, remote code execution, insecure service permissions). Windows boxes aren’t very common when it comes to CTF so it’s great that TryHackMe has so many in their arsenal.
Hello! This is kind of off topic but I need some guidance from an established blog.
Is it difficult to set up your own blog? I’m not very techincal but I
can figure things out pretty fast. I’m thinking
about making my own but I’m not sure where to begin. Do you have any tips or suggestions?
Appreciate it
I personally use WordPress with Bluehost and I find it pretty easy to setup and use ongoing, but otherwise Medium and GitHub are also good options and definitely require less time too setup.
Wonderful, what a webpage it is! This weblog presents valuable data to us, keep it
up.
No worries, glad it was helpful 🙂
I got this website from my buddy who told me on the topic of this web site and now this
time I am visiting this web page and reading very informative articles or
reviews at this time.