An easy Windows box from TryHackMe, brute force a login and exploit blogengine for initial access, then manipulate a misconfigured service for SYSTEM.


Its a windows box so it blocks pings by default, so need to use a -Pn flag on the nmap scan

sudo nmap -sC -sV -Pn -oA nmap/hackpark

Find a web server with a login page

Now to brute force the login, use hydra

The default guessed username is “admin”

The form is the structure of a http-post-form

To create a hydra call like so

hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt http-post-form "/Accou  
l00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

The hardest part is the portion of the call specifying the http-post-form, its in the format of:

"<path to login form>:<body, with magic strings ^USER^ and ^PASS^>:<pattern that appears in an invalid login>"

So the path of the login form is the request URL


Then the body

Then the string that appears in the response that denotes a failed attempt “Login failed”


Now that we are in, find the version of BlogEngine to be vulnerable to CVE-2019-6714

After exploiting it using directory traversal / uploading, get a low priv shell

On the box, run winpeas and find a vulnerable service, WindowsScheduler and specifically WService.exe

This can be found using

tasklist /svc | findstr /i windowsscheduler

Which shows WService.exe, but its not the exploitable file

The log file inside of the service folder contains more information

cd C:\Program Files (x86)\SystemScheduler\Events  
type 20198415519.INI_LOG.txt

And inside find “Message.exe”

Which is run with root privelege that we have write access to, replacing it with a msfvenom meterpreter reverse shell gets root on the box