TryHackMe HackPark Machine Writeup

I subscribed to TryHackMe long back but recently started to work on the machines. I found the THM guys are doing a great job and I believe in few months they will be in the direct compilation with HackTheBox. They are getting new users subscribed in large numbers as the word-of-mouth started to spread in the Cyber Security forums and users started to publish their write-ups. The THM approach is much different from HTB, well, at least there are no restrictions.

So here is my first full public write-up of TryHackMe new Windows machine called HackPark. Note that, this machine available in subscriber only labs, doesn’t available for the free subscribers. You can always subscribe to free labs where you will find a good number of exploitable machines.

The HackPark is the Windows machine. The target is to brute force a website’s login page using Hydra, using RCE and WinPEAS and identify and use a public exploit then escalate the privileges to gain access to system administrator account.

NMAP SCANNING

The NMAP Scan reveled a couple of open ports, I visit the website and the answer for first flag was on the home page.

Find the login page and find the web server request method.

Getting the 1st flag is too basic, we need to find a login page to attack and identify what type of request the form is making to the web server. I used the GoBuster to find the login page and used Burp suite to find the web server request type.

Brute force the Login page to get the Admin password

The website is running using the BloggerEngine, a quick Google search showed me the default user is “Admin”. So I used the Hydra to do the rest and successfully obtained the password.

Compromise The Machine

In this step, I had to identify and execute a public exploit from exploit-db.com to get initial access on this Windows machine. As I already logged-in as Admin, I went ahead to find the version of the BlogEngine. It wasn’t difficult, I found it in the about section.

The BlogEngine version 3.3.6.0 is known for its Directory Traversal and Remote Code Execution (RCE) vulnerability (CVE-2019-6714).

Gaining Initial Shell

I copy the exploit code in to my THM working directory of HackPark and created a new file called PostView.ascx and paste the content. And change the client IP and port as per my requirement.

I opened another terminal window and start my listener.

Next, I opened the blog-post (Welcome to HackPack) and I need to upload the modified file PostView.ascx using file manager within the post edit options and then run this from the url: ?theme=../../App_Data/files

I receved the connection back in my listner as IIS AppPooBlog

Privilege Escalation

I made a shell using MSFVenom

Host a Python SimpleHTTPserver

Import the shell I just created using PowerShell Invoke-WebRequest command.

I run the reverse shell commands in my Metasploit handler.

As soon as I run the .\shell.exe from the terminal I have the meterpreter shell opened.

I import the winPEAS same way as I import my shell.exe in to the machine. I run it from proper shell to find the processes running. The exploitable service is Message.exe,

I next moved the Shell.exe file in to SystemSheduler directory and then renamed the process Message.exe as Message.bak and then I renamed Shell.exe to Message.exe

And then I exit the Current Meterpreter session and back to MSF Multihandler and run the Shell command again, This took around 30 seconds to get me the meterpreter shell as System.

Original Install Time:

Root.txt

Click to rate this post!
[Total: 5 Average: 5]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: