Danny Ghazal

NTS330
12/22/20
Professor Mike
Exploit Research Alternative Assignment

For the alternative assignment I’m doing a try hack me challenge called

hackpark. For this challenge I will cover brute forcing account credentials using hydra,

handling public exploits, utilizing metasploit framework, and privilege escalation.

TASK 1 Deploy the Vulnerable Machine: The first task is fairly simple; it asks you to

deploy the virtual machine and connect to the web server. To connect I had to download

the openVPN client and set up a profile for this to work with tryhackme. After that I

navigated to the web server address 10.10.252.152. Then it asks what the name of the

clown is on the webpage after you navigate to that address and the picture was

pennywise the clown.

TASK 2 Using Hydra to Brute-Force a Login: The first thing the tasks ask for is to find

what type of request the website is using. I inspected element and found that the

website request type was post. The next step says to guess a username and password

from a wordlist to gain credentials. This step confused me a little because I didn’t see a

login form where I could attempt a brute force. I aimlessly looked around for a little while

then I decided to do some google searching and I learned about a tool called gobuster

that helps find directories where they may be a login form. I ran this command; gobuster

dir -u http://10.10252.152/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.

The output gave me a bunch of results but one of the results was admin. So i added

/admin to the end of the web address and this took me to a login form. Now before
proceeding I watched a couple of videos on how to use hydra because this was going to

be my first time using it or any brute force tool in general. It took me some time to figure

it out but I eventually got it. I used this command;

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.252.152 http-post-form

"/Account/login.aspx?

ReturnURL=/admin:__VIEWSTATE=vmoWELIEHcU7xqD69lqiXYmP4ZLDrahxumlY

IcxRGlVKxgqWeccX4ZEy12arujQ8DFvys9zbTyNI%2FtDzt9mLcPs1N4Mepfq

%2BqiaZMDHW2KI4Asg2gvn

%2Bz2TF2DI7L65bUHJkYQU86yuAjY941AaVEqH2VeFDxT7FARjLno

%2F3waBJUKrV&__EVENTVALIDATION=5r8chOws9xAGQf0oV1H3FsVivyBvntUS

1Aci5wK4i8%2F2ZrFVkvPVOFysCwkt2LPivr6F5Ei2jj22ZuAnMh3W21QSmOF1foEY

%2FOXOdrRVwZqMrbzKr9%2FmG1E4L16UcsECWx4szU1AS

%2BqssIZOoOnY8m9hltvbEwKzeAlnRCyvksPshb2i&ctl00%24MainContent

%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser

%24Password=^PASS^&ctl00%24MainContent%24LoginUser

%24LoginButton=Log+in:Login Failed" -vv

I used the hydra command specified the rockyou.txt file for the wordlist and post as the

request type. I then used the cookie information from attempting a failed login which I

captured through burpsuite proxy. I added login failed” at the end a -vv for verbosity.

This output the username as admin and the password was 1qaz2wsx. I got the admin

username by googling default passwords for blogengine.net which is the website for the

login form.
TASK 3 Compromise the Machine: Once I gained login credentials I logged into the

admin dashboard for the website. The first question asked for a version number of the

blog engine so I went to the about tab and found the version was 3.3.6.0. The next

question asked us to find an exploit for this and left a link to exploitdb so I went to the

website and found the exploit which was CVE-2019-6714. I used wget to get the exploit

on the machine and then uploaded it on the dashboard where the picture of pennywise

was posted. The instructions for the exploit say to open the file in a text editor, so I

opened the file in nano and specified an IP and a port. I then I opened up netcat and

copied and pasted a specific path to the end of the URL as specified by the exploit

instructions which was; ?theme=../../App_Data/files. After I hit enter for that URL I

looked at terminal and I had a windows shell. I typed whoami in the shell and found out

that the user I was running as was iis apppool\blog.

TASK 4 Windows Privilege Escalation: This specific task sent me through a rabbit

hole for a few hours. The task requires you to use metasploit to get a meterpreter

session. I tried the best I could to get it to work without watching any tutorials but I

wasn’t able to so I watched some youtube videos. After watching I learned how to set

up the payload script and start a simplehttp python server and was able to get my

shell.exe payload file onto the target machine. I ran the payload in msfconsole and

gained access to a meterpreter session. After that I ran the system info command and

found out that it was running windows 2012 R2 (6.3 Build 9600). The next tasks ask for

the service that was running that was abnormal. This question confused me for a little

while so I did some research and apparently whenever you see wservice or windows

scheduler running you should instantly look there for binaries to exploit so I did. I found
a binary named message.exe that runs as system so I figured that this was what the

challenge wanted me to exploit. So I exploited the message.exe service and gained

admin privileges after that I cd’s into the admin directory and Jeff’s directory found the

txt files and used CAT to get the flags which I listed below.

Admin:7e13d97f05f7ceb9881a3eb3d78d3e72

Jeff: 759bd8af507517bcfaede78a21a73e39

TASK 5 Privilege Escalation Without Metasploit: The last challenge prompts you to

get a tool called winpeas which already is available in the attack box. Then I needed to

get the winpeas bat file in the Windows Temp directory on the victims machine. I did this

and spawned another python server and sent the winpeas.bat file over. After that I ran

the file and found the answer to the last question which was what was the original install

time which was 8/3/2019, 10:43:23 AM.