{"id":449,"date":"2023-12-28T04:29:37","date_gmt":"2023-12-28T04:29:37","guid":{"rendered":"https:\/\/infosecjake.net\/?p=449"},"modified":"2023-12-28T04:29:39","modified_gmt":"2023-12-28T04:29:39","slug":"tryhackme-hackpark-ctf-walkthrough","status":"publish","type":"post","link":"https:\/\/infosecjake.net\/?p=449","title":{"rendered":"Tryhackme – HackPark CTF Walkthrough"},"content":{"rendered":"\n

Hey guys, back again for another CTF. This time, I\u2019m working through the Offensive Pentesting Path on TryHackMe. I\u2019ve already done several of the boxes, but thought I\u2019d start doing some walkthroughs for other ones on this learning path.<\/p>\n\n\n\n

Today, we\u2019re doing the HackPark CTF. The description on this box is that we will brute force a website with Hydra, identify and use an exploit, and then escalate privileges on the windows machine. Pretty straight forward. Let\u2019s get to it!<\/p>\n\n\n\n

First off, start up the HackPark machine and either the attackbox or your own VM attack box.<\/p>\n\n\n\n

Once everything is up, we\u2019ll start off by scanning the HackPark machine to see what ports and services are available.<\/p>\n\n\n\n

Let\u2019s get that nmap scan fired off.<\/p>\n\n\n\n

\"nmap<\/figure>\n\n\n\n

First scan attempt appears to be blocked. This host may not respond to ICMP, so let\u2019s try with a -Pn flag to disable pinging.<\/p>\n\n\n\n

\"nmap<\/figure>\n\n\n\n

There we go. Only seeing 2 ports open. HTTP service on port 80 and Remote Desktop on 3389.<\/p>\n\n\n\n

Question 1.<\/strong><\/p>\n\n\n\n

Let\u2019s have a look at that website on port 80 to answer question 1.<\/p>\n\n\n\n

\"pennywise\"<\/figure>\n\n\n\n

There you have it. Pennywise is the clown displayed on the main page. So that answers question 1.<\/p>\n\n\n\n

Question 2.<\/strong><\/p>\n\n\n\n

Next, the CTF asks what request type the login form uses on this website. So, let\u2019s do some digging. We first click the hamburger menu in the top right of the website and then click the login link.<\/p>\n\n\n\n

Next, let\u2019s review the source code to see what the form uses.<\/p>\n\n\n\n

We can do this by either viewing page source or inspecting the site. For this one, I\u2019m doing to inspect the site and then just hover my mouse over the login fields.<\/p>\n\n\n\n

However, inspecting shows us this pretty much from the start.<\/p>\n\n\n\n

\"form<\/figure>\n\n\n\n

This form uses the post method. That answers question 2.<\/p>\n\n\n\n

Question 3.<\/strong><\/p>\n\n\n\n

Next up, the CTF wants us to run hydra on the login form to brute force the site.<\/p>\n\n\n\n

Command: hydra -l <username> -P \/usr\/share\/wordlists\/<wordlist> <ip> http-post-form<\/code><\/p>\n\n\n\n

CTF states to guess a username. Well, we shall start off with admin. Because, why not?<\/p>\n\n\n\n

However, before we can do this, this command will need some extra things in it before it will work correctly.<\/p>\n\n\n\n

This came from some additional research on Hydra and how to use it to brute force http login forms from this site: How to Use Hydra to Crack Passwords: The Complete Guide (stationx.net)<\/a>.<\/p>\n\n\n\n

In order to get the rest of the parameters we need, we will need to load up BurpSuite and intercept the login page.

I\u2019m going to try with \u2018admin\u2019 and \u2018password\u2019 as the credentials.<\/p>\n\n\n\n

\"Burp<\/figure>\n\n\n\n

So, our new command will look like the below:<\/p>\n\n\n\n

hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 10.10.233.116 http-post-form \"\/Account\/login.aspx:__VIEWSTATE=7IqFwhwBIvpdGk0pQ0ZF3BIomgkYkQyGD6UZup8FEEUkYHTnOg%2FAmuqgUJmQP9e1dR6T6ay0%2BJ6abKFmcZyvgYfxrbKCTlNf8Xmgo7wdsV%2BKjdJmjnd%2F4l1nmrLHK0RQP9QMCFJnF1a5L0IGiMtJxkdEZgIxr%2BffwfAIqbMKWOTBSmqQL9YU%2B90MfoJhMHMz0%2Fotm0U9y7FkmbDbkPDOaemscuF0%2FrOmOra5ALVeh5T1EodI4tZtxQd82rdBV86cMTJuONmm%2BWENiz9qdu9FhGNUv0UJ5kP4BB6%2F5%2BeqTy87apAtMu3WPZt%2FaBgNuMld9YbcuWVIQ2jnm%2FWkigmuENKRGzXXv%2FTgRCEwft5rxjnbNAfj&__EVENTVALIDATION=zmoIoariP5yHg8VXF9B4ZfNC%2BAe6y%2Fm3JxdnFBWMFSEFf8R8mjcobRlR7N3nObf7PZCRm27DxhWlkmACyQxF5a575ZZAdyMtLxSoXgz%2FY91iR1JlBEou9MXlVtHCFi%2B5iaGvRUVvOYeC1b1IrlTwcb8WEKLTWnemt5hVlqcwhTgfTnSw&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed\"<\/code><\/p>\n\n\n\n

We must append the path and then the parameters shown at the bottom of the request made when attempting to login as shown above. Remember to replace \u2018admin\u2019 and \u2018password\u2019 with ^USER^ and ^PASS^, as shown above. Once this is done, we are now ready to launch the brute force attack. (FYI, I used the viewstate parameters from a different request.)<\/p>\n\n\n\n

Here\u2019s our results!<\/p>\n\n\n\n

\"hydra<\/figure>\n\n\n\n

We now have the admin credentials for the site and the answer to question 3.<\/p>\n\n\n\n

Question 4.<\/strong><\/p>\n\n\n\n

The CTF now asks us to identify the version of the BlogEngine. Let\u2019s dig around and see if we can find this on the site.<\/p>\n\n\n\n

Pretty simple, the about section lists out the version.<\/p>\n\n\n\n

\"blog<\/figure>\n\n\n\n

That gives us our answer to question 4.<\/p>\n\n\n\n

Question 5.<\/strong><\/p>\n\n\n\n

Next the CTF wants us to use the exploit database archive to identify a CVE that will give us a reverse shell for this. http:\/\/www.exploit-db.com\/<\/a> is the site we need to use.<\/p>\n\n\n\n

A quick search shows us a potential CVE that is verified and does have an exploit available.<\/p>\n\n\n\n

\"exploit<\/figure>\n\n\n\n

If we click on this and then copy the CVE to our answer, we can confirm that this is the CVE it is looking for.<\/p>\n\n\n\n

\"CVE\"<\/figure>\n\n\n\n

This answers question 5.<\/p>\n\n\n\n

Question 6.<\/strong><\/p>\n\n\n\n

Next the CTF wants us to use this exploit to gain initial access to the server and list what user the web server is running as. So, let\u2019s read the readme details on this exploit.<\/p>\n\n\n\n

\"exploit<\/figure>\n\n\n\n

Pretty straightforward. Let\u2019s try it out. So, let\u2019s start by grabbing this script and putting it on our attack box. We will then need to edit it to, as noted in the directions, have our attack box IP and port for a reverse shell connection to reach out to. I suggest downloading the script rather than trying to copy\/paste.<\/p>\n\n\n\n

\"modify<\/figure>\n\n\n\n

Now, with the script edited, we next need to rename it to PostView.ascx. Next, let\u2019s find the upload section and get this uploaded to the blog site.<\/p>\n\n\n\n

After browsing the site a little, I noticed that on the \u2018Welcome to HackPark\u2019 post, there is a file browser. We should be able to upload our exploit on this post.<\/p>\n\n\n\n

\"upload<\/figure>\n\n\n\n

Now it is uploaded.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now, after uploading and saving that post. We need to start our listener. As usual, we\u2019ll use netcat.<\/p>\n\n\n\n

Now, we visit the url below to trigger the attack.<\/p>\n\n\n\n

http:\/\/IP-address-here\/?theme=..\/..\/App_Data\/files<\/code><\/p>\n\n\n\n

\"triggering<\/figure>\n\n\n\n

And we have a reverse shell!<\/p>\n\n\n\n

Now, lets see who we are to answer question 6.<\/p>\n\n\n\n

\"question<\/figure>\n\n\n\n

That answers question 6.<\/p>\n\n\n\n

Before we can continue, we will need a more stable shell. Essentially, the shell we have is very finnicky and commands won\u2019t work the best on it. If you try to run something like \u2018sysinfo\u2019 on this shell, you may not get any response back from the remote host. This is why we need a stable shell, to ensure that we can continue enumerating and issuing commands on the remote host without issues.<\/p>\n\n\n\n

We will use msfvenom to create a reverse shell executable to do this.<\/p>\n\n\n\n

\"msvenom\"<\/figure>\n\n\n\n

We now have an executable that will give us another reverse shell on a different port. Now, serve this up on a web server on my attack box and have the HackPark machine download it. But we must put it in a folder that the current user can probably access. We\u2019ll try the temp folder.<\/p>\n\n\n\n

Starting up my web server in my pywww folder where this executable is saved.<\/p>\n\n\n\n

\"web<\/figure>\n\n\n\n

Now, on the HackPark shell that we have open, I just need to have it connect and download the executable.<\/p>\n\n\n\n

\"Downloading<\/figure>\n\n\n\n

Monitoring my web server, I can see the connection come in and know it was successful.<\/p>\n\n\n\n

Now, instead of using a Netcat listener, we will use Metasploit to start a listener before executing our file that we just uploaded.<\/p>\n\n\n\n

Load Metasploit with \u2018msfconsole<\/code>\u2019 and then \u2018use exploit\/multi\/handler<\/code>\u2019. Then, we will set our payload with \u2018set PAYLOAD windows\/meterpreter\/reverse_tcp<\/code>\u2019. Finally, we set our options. First, check options by just typing \u2018options<\/code>\u2019. We will need to set the LHOST and LPORT to our respective attack box IP and Port that is in the executable we just uploaded.<\/p>\n\n\n\n

\"Metasploit\"<\/figure>\n\n\n\n

Your options should now look something like this. Of course, with our own IP and port in place.<\/strong><\/p>\n\n\n\n

Now, simply type run to start the listener.<\/strong><\/p>\n\n\n\n

Finally, we trigger our file. Just go to the C:\\Windows\\Temp folder and type executable.exe. Replacing \u2018executable\u2019 with your file name. This will then trigger the reverse shell that you should see pop up in Metasploit.

(My file didn\u2019t trigger. Why not? Because my machine time ran out. Argh! It takes a while to do the CTF as well as copy\/past, edit, and write a walkthrough while I\u2019m doing it.)<\/em><\/strong><\/p>\n\n\n\n

After some quick catching back up, we have executed our file and got a shell in Metasploit.<\/strong><\/p>\n\n\n\n

\"executing<\/figure>\n\n\n\n

Left side is the victim machine executing our payload and the right is Metsaploit with the new shell.<\/strong><\/p>\n\n\n\n

Question 7.<\/strong><\/p>\n\n\n\n

What is the OS version of the machine?<\/p>\n\n\n\n

\"OS<\/figure>\n\n\n\n

Now, with our Meterpreter shell, we can run sysinfo and answer question 7.<\/p>\n\n\n\n

Meterpreter does have some functions built in such as looking for services. Simply type \u2018ps<\/code>\u2019 in the meterpreter session to see what\u2019s running.<\/p>\n\n\n\n

\"ps\"<\/figure>\n\n\n\n
\"ps<\/figure>\n\n\n\n

Aside from our, obviously, abnormal jake.exe, I\u2019m seeing something called WScheduler.exe. Looking at the hint, it shows that we should check out the C:\\Program Files (x86) directory. Navigating to that in our meterpreter shell, we can see a folder called WindowsScheduler.<\/p>\n\n\n\n

\"SystemScheduler<\/figure>\n\n\n\n

Inside this directory we find the WScheduler.exe file. So, this has to be our answer for question 7.<\/p>\n\n\n\n

Question 8.<\/strong><\/p>\n\n\n\n

The CTF asks us what binary we should exploit. The hint suggests looking in logs from the abnormal service. In the same folder as the abnormal service and in the running services, I noticed something called Message.exe. The logs in the Events folder also points out this service. Let\u2019s try that for this question.<\/p>\n\n\n\n

\"log<\/figure>\n\n\n\n

Bingo!<\/p>\n\n\n\n

Message.exe is our answer for question 8.<\/p>\n\n\n\n

Question 9.<\/strong><\/p>\n\n\n\n

Next, we need to exploit this and get elevated privileges. This should be fairly simple, since this runs with elevated privileges, we can simply replace this file with a reverse shell, much like we did with msfvenom previously.<\/p>\n\n\n\n

\"new<\/figure>\n\n\n\n

Again, moving this into my pywww directory and hosting it on my web server for the HackPark box to grab.<\/p>\n\n\n\n

Again, referring to the above, set up Metasploit with \u2018use exploit\/multi\/handler<\/code>\u2019 and \u2018set PAYLOAD windows\/meterpreter\/reverse_tcp<\/code>\u2019 and finally setting your options appropriately.<\/p>\n\n\n\n

Run it to start the listener.<\/p>\n\n\n\n

Finally, let\u2019s download the file from the HackPark box.<\/p>\n\n\n\n

\"downloading<\/figure>\n\n\n\n

In this case, you won\u2019t have to trigger it, because the service gets called frequently. In fact, it started the shell within a few seconds.<\/p>\n\n\n\n

Now, we have a higher privilege shell we can use to finish the questions on this box.<\/p>\n\n\n\n

\"admin\"<\/figure>\n\n\n\n
\"jeff<\/figure>\n\n\n\n

And now we have the answer for question 9.<\/p>\n\n\n\n

Question 10.<\/strong><\/p>\n\n\n\n

Next, the root flag. This one was pretty simple, just going to the Admin desktop.<\/p>\n\n\n\n

\"root<\/figure>\n\n\n\n

The last section talks about escalation without Metasploit. This was a good option as well as it uses WinPeas, one of my favorite tools. In this case, you would want to host the WinPeas.exe file on your attackbox and then using one of the lower privilege shells, download the file and run it on the HackPark box.<\/p>\n\n\n\n

I did go ahead and do this, and this was the thing that stuck out quickly to me.<\/p>\n\n\n\n

\"winpeas<\/figure>\n\n\n\n

Question 11.<\/strong><\/p>\n\n\n\n

Using Winpeas, what was the original install time?<\/p>\n\n\n\n

I didn\u2019t use Winpeas for this, as there\u2019s a simple command to look this up.<\/p>\n\n\n\n

systeminfo|find \/i \"original\"<\/code><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now, we have our final answer.<\/p>\n\n\n\n

Whew!<\/p>\n\n\n\n

There was a lot to this one. The usage of msfvenom to create payloads, Metasploit, and using a publicly available exploit for a CVE were all great learning moments on this CTF. Hopefully you learned something from this and can use that new knowledge on further CTF\u2019s in the future. We all run into roadblocks, issues, and sometimes even brick walls when doing these CTF\u2019s, but persistence and drive will get you past those. I appreciate you taking the time to read over this. If you have any questions, corrections, or callouts please feel free to reach out to me!<\/p>\n","protected":false},"excerpt":{"rendered":"

Hey guys, back again for another CTF. This time, I\u2019m working through the Offensive Pentesting Path on TryHackMe. I\u2019ve already<\/p>\n

Continue readingTryhackme – HackPark CTF Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":484,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[33,32,34],"class_list":["post-449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-challenge-walkthroughs","tag-ctf","tag-tryhackme","tag-walkthrough"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/12\/pennywise.png","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=449"}],"version-history":[{"count":1,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/449\/revisions"}],"predecessor-version":[{"id":483,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/449\/revisions\/483"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/media\/484"}],"wp:attachment":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}