Hackpark
An easy Windows box from TryHackMe, brute force a login and exploit blogengine for initial access, then manipulate a misconfigured service for SYSTEM.
Recon
Its a windows box so it blocks pings by default, so need to use a -Pn flag on the nmap scan
sudo nmap -sC -sV -Pn -oA nmap/hackpark 10.10.74.116
Find a web server with a login page
Now to brute force the login, use hydra
The default guessed username is “admin”
The form is the structure of a http-post-form
To create a hydra call like so
hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.74.116 http-post-form "/Accou
nt/login.aspx:__VIEWSTATE=J7%2FrKT%2FRbzXElHvOFArr4HX0BUp05PUs%2Bjl4fN5QtFnsigr6tjwFZkWaUW9RaCNkl5wcaaA9I71WXBKsdywl
lsO45a8kdE%2BO2GeciLswYLZgMhEIYMOLKvVE1g9%2FuxmOjygsPrfW43YX1axgD3V%2FmbHd2lx7jcwje7Qgkp065G2LekTQ&__EVENTVALIDATION
=nIJxL4rdGJE3KYMzFDmVH35CAPYLfmVh68KpFWCfpmOAp8i4dLgnYkYLVP3UEDV8IiIqX6kXoIwujnQvd7xTK1Tbiqg5RF0fYL3q6nazJk37P%2BrLs
8lq043TvaeMwGi4uqTkx2onf8prQt9NNxgtS4oXE0haNUx6xQId8O8kqlZfYRAG&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ct
l00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
The hardest part is the portion of the call specifying the http-post-form, its in the format of:
"<path to login form>:<body, with magic strings ^USER^ and ^PASS^>:<pattern that appears in an invalid login>"
So the path of the login form is the request URL
“/Account/login.aspx”
Then the body
Then the string that appears in the response that denotes a failed attempt “Login failed”
Exploitation
Now that we are in, find the version of BlogEngine to be vulnerable to CVE-2019-6714
After exploiting it using directory traversal / uploading, get a low priv shell
On the box, run winpeas and find a vulnerable service, WindowsScheduler and specifically WService.exe
This can be found using
tasklist /svc | findstr /i windowsscheduler
Which shows WService.exe, but its not the exploitable file
The log file inside of the service folder contains more information
cd C:\Program Files (x86)\SystemScheduler\Events
type 20198415519.INI_LOG.txt
And inside find “Message.exe”
Which is run with root privelege that we have write access to, replacing it with a msfvenom meterpreter reverse shell gets root on the box