Professional Documents
Culture Documents
NTS330
12/22/20
Professor Mike
Exploit Research Alternative Assignment
For the alternative assignment I’m doing a try hack me challenge called
hackpark. For this challenge I will cover brute forcing account credentials using hydra,
TASK 1 Deploy the Vulnerable Machine: The first task is fairly simple; it asks you to
deploy the virtual machine and connect to the web server. To connect I had to download
the openVPN client and set up a profile for this to work with tryhackme. After that I
navigated to the web server address 10.10.252.152. Then it asks what the name of the
clown is on the webpage after you navigate to that address and the picture was
TASK 2 Using Hydra to Brute-Force a Login: The first thing the tasks ask for is to find
what type of request the website is using. I inspected element and found that the
website request type was post. The next step says to guess a username and password
from a wordlist to gain credentials. This step confused me a little because I didn’t see a
login form where I could attempt a brute force. I aimlessly looked around for a little while
then I decided to do some google searching and I learned about a tool called gobuster
that helps find directories where they may be a login form. I ran this command; gobuster
The output gave me a bunch of results but one of the results was admin. So i added
/admin to the end of the web address and this took me to a login form. Now before
proceeding I watched a couple of videos on how to use hydra because this was going to
be my first time using it or any brute force tool in general. It took me some time to figure
"/Account/login.aspx?
ReturnURL=/admin:__VIEWSTATE=vmoWELIEHcU7xqD69lqiXYmP4ZLDrahxumlY
IcxRGlVKxgqWeccX4ZEy12arujQ8DFvys9zbTyNI%2FtDzt9mLcPs1N4Mepfq
%2BqiaZMDHW2KI4Asg2gvn
%2Bz2TF2DI7L65bUHJkYQU86yuAjY941AaVEqH2VeFDxT7FARjLno
%2F3waBJUKrV&__EVENTVALIDATION=5r8chOws9xAGQf0oV1H3FsVivyBvntUS
1Aci5wK4i8%2F2ZrFVkvPVOFysCwkt2LPivr6F5Ei2jj22ZuAnMh3W21QSmOF1foEY
%2FOXOdrRVwZqMrbzKr9%2FmG1E4L16UcsECWx4szU1AS
%2BqssIZOoOnY8m9hltvbEwKzeAlnRCyvksPshb2i&ctl00%24MainContent
%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser
%24Password=^PASS^&ctl00%24MainContent%24LoginUser
I used the hydra command specified the rockyou.txt file for the wordlist and post as the
request type. I then used the cookie information from attempting a failed login which I
captured through burpsuite proxy. I added login failed” at the end a -vv for verbosity.
This output the username as admin and the password was 1qaz2wsx. I got the admin
username by googling default passwords for blogengine.net which is the website for the
login form.
TASK 3 Compromise the Machine: Once I gained login credentials I logged into the
admin dashboard for the website. The first question asked for a version number of the
blog engine so I went to the about tab and found the version was 3.3.6.0. The next
question asked us to find an exploit for this and left a link to exploitdb so I went to the
website and found the exploit which was CVE-2019-6714. I used wget to get the exploit
on the machine and then uploaded it on the dashboard where the picture of pennywise
was posted. The instructions for the exploit say to open the file in a text editor, so I
opened the file in nano and specified an IP and a port. I then I opened up netcat and
copied and pasted a specific path to the end of the URL as specified by the exploit
instructions which was; ?theme=../../App_Data/files. After I hit enter for that URL I
looked at terminal and I had a windows shell. I typed whoami in the shell and found out
TASK 4 Windows Privilege Escalation: This specific task sent me through a rabbit
hole for a few hours. The task requires you to use metasploit to get a meterpreter
session. I tried the best I could to get it to work without watching any tutorials but I
wasn’t able to so I watched some youtube videos. After watching I learned how to set
up the payload script and start a simplehttp python server and was able to get my
shell.exe payload file onto the target machine. I ran the payload in msfconsole and
gained access to a meterpreter session. After that I ran the system info command and
found out that it was running windows 2012 R2 (6.3 Build 9600). The next tasks ask for
the service that was running that was abnormal. This question confused me for a little
while so I did some research and apparently whenever you see wservice or windows
scheduler running you should instantly look there for binaries to exploit so I did. I found
a binary named message.exe that runs as system so I figured that this was what the
admin privileges after that I cd’s into the admin directory and Jeff’s directory found the
txt files and used CAT to get the flags which I listed below.
Admin:7e13d97f05f7ceb9881a3eb3d78d3e72
Jeff: 759bd8af507517bcfaede78a21a73e39
TASK 5 Privilege Escalation Without Metasploit: The last challenge prompts you to
get a tool called winpeas which already is available in the attack box. Then I needed to
get the winpeas bat file in the Windows Temp directory on the victims machine. I did this
and spawned another python server and sent the winpeas.bat file over. After that I ran
the file and found the answer to the last question which was what was the original install