TryHackMe – HackPark Walkthrough

March 18, 2021 | by Stefano Lanaro | 5 Comments

Introduction

This was a fairly easy Windows machine that involved bruteforcing credentials to authenticate into the BlogEngine web application, exploiting a remote code execution vulnerability affecting it to gain remote access and an insecure service file permission vulnerability in the Splinterware System Scheduler application to escalate privileges to SYSTEM.

Bruteforcing

Accessing the web application:

Found a log in button in the right-hand side menu:

Attempting an authentication to check the message that appears for unsuccessful logins, to use it later on with Hydra:

Intercepting the authentication request with burp to check the parameters being used:

Using hydra to bruteforce the password, using the following flags:

-f to stop the attack when a valid password is found
-l to specify the username for the bruteforce attack
-P to specify the wordlist to use for the bruteforce
http-post-form to specify the URL including all of the parameters used in the request, such as the username, password and the failed authentication message

It looks like a valid password of 1qaz2wsx was identified by Hydra.

Compromising the Machine

Authenticating into the application:

Navigating to the “About” page to identify the version of BlogEngine use, which is 3.3.6.0

Using SearchSploit to identify vulnerabilities in BlogEngine 3.3.6:

Mirroring the exploit and identifying its CVE:

Checking the instructions required to exploit the vulnerability:

Amending the local IP address and port in the exploit
Renaming the exploit to PostView.ascx
Uploading the exploit through BlogEngine’s file manager
Setting up a Netcat listener on the local Kali host
Accessing the .cshtml shell from a browser to connect to the reverse shell

Updating the IP address and port in the exploit:

Clicking on published posts from the BlogEngine dahboard:

Clicking on the “Welcome to HackPark” post”:

Accessing the file manager by clicking on the folder icon in the toolbar:

Uploading the PostView.ascx file through the UPLOAD button in the file manager:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

-l to listen for incoming connections
-v for verbose output
-n to skip the DNS lookup
-p to specify the port to listen on

Navigating to the URL indicated in the exploit instructions:

Received a callback, which has granted a reverse shell as the “iis apppool” user:

Privilege Escalation without Metasploit

The next exercise required a meterpreter shell to be established. The first step is to generate some shellcode using MSFvenom with the following flags:

-p to specify the payload type, in this case the Windows Meterpreter TCP reverse shell
-a to specify the architecture, in this case x86
–encoder to specify the encoder to be used for the shellcode, in this case shikata_ga_nai
LHOST to specify the local host IP address to connect to
LPORT to specify the local port to connect to
-f to specify the format to be used for the shell, in this case exe
-o to specify the output, in this case shell.exe

Setting up a Python Simple HTTP server to host the Meterpreter shell:

Navigating to /windows/temp to download it and execute it. Using the Windows Certutil utility to download it:

Starting MSFconsole, selecting the multi handler module, setting and running the exploit:

payload to specify the payload type, in this case the Java reverse shell
LHOST to specify the local host IP address to connect to
LPORT to specify the local port to connect to

Executing the shell from the target host – a Meterpreter shell is now open:

Executing the Meterpreter sysinfo command to check the architecture of the target host:

Uploading the WinPEAS enumeration executable using the Meterpreter upload command:

Dropping into a normally CMD shell and executing WinPEAS:

Identified a service with poor service file permissions in place (SystemScheduler), this could be used to escalate privileges:

Navigating to the installation directory of SystemScheduler:

Listing the files in the current directory and navigating to the Events folder, which looks unusual:

Based on the log file, it looks like Message.exe runs every 30 seconds:

The next step is to generate some shellcode using MSFvenom with the following flags:

-p to specify the payload type, in this case the Windows Meterpreter TCP reverse shell
–encoder to specify the encoder to be used for the shellcode, in this case shikata_ga_nai
LHOST to specify the local host IP address to connect to
LPORT to specify the local port to connect to
-f to specify the format to be used for the shell, in this case exe

Renaming Message.exe and replacing it with the malicious Message.exe previously created:

Backgrounding the current session, selecting the multi handler module, setting and running the exploit:

LHOST to specify the local host IP address to connect to
LPORT to specify the local port to connect to

Once the system runs the Message.exe file, a callback is received as the Administrator user:

Privilege Escalation with Metasploit

Generating some shellcode using MSFvenom with the following flags:

-p to specify the payload type, in this case the Windows TCP reverse shell
–encoder to specify the encoder to be used for the shellcode, in this case shikata_ga_nai
LHOST to specify the local host IP address to connect to
LPORT to specify the local port to connect to
-f to specify the format to be used for the shell, in this case exe

Hosting it on the Kali host using the Python Simple HTTP Server and downloading it from the target host using Certutil:

Renaming Message.exe and replacing it with the malicious Message.exe previously created:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

-l to listen for incoming connections
-v for verbose output
-n to skip the DNS lookup
-p to specify the port to listen on

Once the system runs the Message.exe file, a callback is received as the Administrator user:

The original system installation date can be viewed using the systeminfo command.

Conclusion

This was a really fun box overall – the techniques required to exploit it are not too advanced although there is a good variety of vectors being used which is great (brute-forcing, remote code execution, insecure service permissions). Windows boxes aren’t very common when it comes to CTF so it’s great that TryHackMe has so many in their arsenal.

5 comments

Comments are closed.

takipçi satın al

May 7, 2021 at 10:16 pm

Hello! This is kind of off topic but I need some guidance from an established blog.
Is it difficult to set up your own blog? I’m not very techincal but I
can figure things out pretty fast. I’m thinking
about making my own but I’m not sure where to begin. Do you have any tips or suggestions?
Appreciate it
- Stefano Lanaro
  
  May 8, 2021 at 12:30 pm
  
  I personally use WordPress with Bluehost and I find it pretty easy to setup and use ongoing, but otherwise Medium and GitHub are also good options and definitely require less time too setup.
takipçi satın al

May 6, 2021 at 12:55 pm

Wonderful, what a webpage it is! This weblog presents valuable data to us, keep it
up.
- Stefano Lanaro
  
  May 7, 2021 at 2:46 pm
  
  No worries, glad it was helpful 🙂
takipçi satın al

May 4, 2021 at 6:16 pm

I got this website from my buddy who told me on the topic of this web site and now this
time I am visiting this web page and reading very informative articles or
reviews at this time.