Hackpark - wook413

#tryhackme #medium #windows ![[Pasted image 20250713003236.png]] --- # Information Gathering - Nmap Let's first scan all 65,535 TCP ports using `nmap` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 20:03 CDT Nmap scan report for 10.10.0.113 Host is up (0.13s latency). Not shown: 65533 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 43.97 seconds ``` The first scan found 2 open ports: 80 and 3389. I'll scan again against those two open ports but this time with `-sCV` options for a more detailed results. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -Pn -p 80,3389 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 20:04 CDT Nmap scan report for 10.10.0.113 Host is up (0.13s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-title: hackpark | hackpark amusements |_http-server-header: Microsoft-IIS/8.5 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=hackpark | Not valid before: 2025-07-12T01:00:11 |_Not valid after: 2026-01-11T01:00:11 |_ssl-date: 2025-07-13T01:05:19+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: HACKPARK | NetBIOS_Domain_Name: HACKPARK | NetBIOS_Computer_Name: HACKPARK | DNS_Domain_Name: hackpark | DNS_Computer_Name: hackpark | Product_Version: 6.3.9600 |_ System_Time: 2025-07-13T01:05:12+00:00 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.37 seconds ``` Lastly, a UDP scan against top 10 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 20:08 CDT Nmap scan report for 10.10.0.113 Host is up. PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds ``` --- # Enumeration ##### Port 80 - HTTP The main page of port 80 reveals the image of the famous clown character Pennywise from the movie IT and also says `Welcome to HackPark` ![[Pasted image 20250712201003.png]] `/robots.txt` reveals a few directories for us to explore but I couldn't find any useful information from them. ![[Pasted image 20250712201257.png]] There's a hamburger menu icon at the top right and it contains a login page. ![[Pasted image 20250712204943.png]] Unfortunately we haven't found any credentials except for the username `administrator` on the main page. I am not a fan of brute-force attacks but we are running out of options, so I'm going to perform brute-force attacks against the login form with `hydra` ![[Pasted image 20250712205405.png]] In order for me to utilize `hydra` and perform brute-force attacks, I need to identify what type of request the form is making to the webserver. It's making a `POST` request ![[Pasted image 20250712210107.png]] From the Burp Suite request, I learned what to include in the Hydra as parameters. I also included `-f` option to finish the brute-force attack immediately when a password is found. I found a valid set of credentials :) ![[Pasted image 20250712215515.png]] Successfully logged in as `admin` with the found password. ![[Pasted image 20250712221712.png]] `About` page reveals the version info about `blogengine.net`, an open source ASP.NET project. ![[Pasted image 20250712222119.png]] # Exploitation - Initial Access I searched for `blogengine 3.3.6` in `searchsploit` and it looks like there's a known public exploit (Directory Traversal / RCE) for this version. ![[Pasted image 20250712222243.png]] ![[Pasted image 20250712222811.png]] As specified in the public exploit, the page `/admin/app/editor/ediotpost.cshtml`allows file upload. After navigating to the page, select `File Manager`. ![[Pasted image 20250712224018.png]] Click on `Upload` then select the public exploit that we downloaded from `searchsploit`. Please note that you have to change the file name as `PostView.ascx` otherwise the exploit won't work. ![[Pasted image 20250712232833.png]] Then navigate to `/?theme=../../App_data/files`. It's telling me an error has occurred. ![[Pasted image 20250712232925.png]] However, when I came back to the terminal, I was connected to the reverse shell. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.0.113] 49450 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. whoami c:\windows\system32\inetsrv>whoami iis apppool\blog ``` # Privilege Escalation `wmic service list brief | findstr "Running"` reveals there's WindowsScheduler running. ![[Pasted image 20250713000430.png]] In `C:\Program Files (x86)`, there's a unusual directory named `SystemScheduler` which appears to be very coherent with the running service `WindowsScheduler` that we just discovered. ![[Pasted image 20250713000523.png]] `icacls` shows that `Everyone` has modify (`M`) permissions on the directory and all its subdirectories and files, which is unusual and poses a serious security risks. ![[Pasted image 20250713004035.png]] Under `Events` directory, there's a log file which reveals the name of binary that's currently being scheduled to run every 30 seconds and we can take advantage of this binary. ![[Pasted image 20250713000834.png]] ![[Pasted image 20250713000941.png]] Back to `SystemScheduler` directory, and we can see `Message.exe` binary exists there. ![[Pasted image 20250713001327.png]] First I renamed the binary to some arbitrary name `Message2.excasdfsdfsdf` ```powershell C:\Program Files (x86)\SystemScheduler>move Message.exe Message2.excasdfsdfsdf move Message.exe Message2.excasdfsdfsdf 1 file(s) moved. ``` Generated a reverse shell with `msfvenom` and named it `Message.exe` which we are going to transfer to the remote Windows host ![[Pasted image 20250713002010.png]] with `certutil` tool, I successfully fetched the file from the local Kali to remote Windows system. ![[Pasted image 20250713002124.png]] Executed the binary and after a short moment, I was connected to the shell. ![[Pasted image 20250713002203.png]] Got `user.txt` in `C:\Users\jeff\Desktop` ![[Pasted image 20250713002258.png]] Got `root.txt` in `C:\Users\Administrator\Desktop` ![[Pasted image 20250713002346.png]]