Hackpark

An easy Windows box from TryHackMe, brute force a login and exploit blogengine for initial access, then manipulate a misconfigured service for SYSTEM.

Recon #

Its a windows box so it blocks pings by default, so need to use a -Pn flag on the nmap scan

sudo nmap -sC -sV -Pn -oA nmap/hackpark 10.10.74.116

Find a web server with a login page

Now to brute force the login, use hydra

The default guessed username is “admin”

The form is the structure of a http-post-form

To create a hydra call like so

hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.74.116 http-post-form "/Accou  
nt/login.aspx:__VIEWSTATE=J7%2FrKT%2FRbzXElHvOFArr4HX0BUp05PUs%2Bjl4fN5QtFnsigr6tjwFZkWaUW9RaCNkl5wcaaA9I71WXBKsdywl  
lsO45a8kdE%2BO2GeciLswYLZgMhEIYMOLKvVE1g9%2FuxmOjygsPrfW43YX1axgD3V%2FmbHd2lx7jcwje7Qgkp065G2LekTQ&__EVENTVALIDATION  
=nIJxL4rdGJE3KYMzFDmVH35CAPYLfmVh68KpFWCfpmOAp8i4dLgnYkYLVP3UEDV8IiIqX6kXoIwujnQvd7xTK1Tbiqg5RF0fYL3q6nazJk37P%2BrLs  
8lq043TvaeMwGi4uqTkx2onf8prQt9NNxgtS4oXE0haNUx6xQId8O8kqlZfYRAG&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ct  
l00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

The hardest part is the portion of the call specifying the http-post-form, its in the format of:

"<path to login form>:<body, with magic strings ^USER^ and ^PASS^>:<pattern that appears in an invalid login>"

So the path of the login form is the request URL

“/Account/login.aspx”

Then the body

Then the string that appears in the response that denotes a failed attempt “Login failed”

Exploitation #

Now that we are in, find the version of BlogEngine to be vulnerable to CVE-2019-6714

After exploiting it using directory traversal / uploading, get a low priv shell

On the box, run winpeas and find a vulnerable service, WindowsScheduler and specifically WService.exe

This can be found using

tasklist /svc | findstr /i windowsscheduler

Which shows WService.exe, but its not the exploitable file

The log file inside of the service folder contains more information

cd C:\Program Files (x86)\SystemScheduler\Events  
type 20198415519.INI_LOG.txt

And inside find “Message.exe”

Which is run with root privelege that we have write access to, replacing it with a msfvenom meterpreter reverse shell gets root on the box