HackPark was a unique room on TryHackMe, an introduction to the means of manual exploitation. The room required the enumeration of a CVE, utilizing Hydra for post-form cracking and a unique privesc vector. Very special thank you to @RealTryHackMe for this amazing room!
As soon as the machine booted, I hit it with an nmap scan and then took a look at the room on TryHackMe.
It looks like the machine is running HTTP and I am being urged to inspect it. So I'll do that while the nmap scan is doing its thing.
This brings me to the second question in task one, "What is the name of the clown displayed on the site?" Well, I think I know who that is. If I didn't however, I could just save the picture and do a reverse image search.
Upon exploring the site further, I discover a comment feature, a login page, among other things. Additionally, in /robots.txt information disclosure is present.
I take note of this in Cherrytree. I also discover what the site is running in the source. I take note of Blogengine 18.104.22.168, which seems to be a more likely attack vector.
Using Searchsploit to further enumerate this Blogengine, I am introduced to multiple vulnerabilities. I save all these potential exploits for later. Since task 2 of the room wants me to login to the site, it is safe to assume that the potential exploit will be authenticated RCE.
Next, I begin to set up my Hydra command. To properly construct this command I will need the request body. I login with random credentials and grab the request body using Burp Suite, saving them for later.
I proceed to construct the command and use the rockyou.txt wordlist. If you need more information on using hydra to bruteforce HTTP, visit here. https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/ This same process can be achieved with Burp Intruder, however it will take much longer than Hydra will. I added the -f and -v option to stop Hydra upon successful login and to be verbose. I set the username to, "admin" because it is the most obvious user and it is where the login page will redirect us upon successful login.
I receive a hit almost instantly.
After submitting it to Tryhackme, I login to the site and start scrutinizing the exploits for Blogengine we found earlier.
After sifting through the exploits that match the Blogengine version, I decide upon https://www.exploit-db.com/exploits/46353. I make a copy of this exploit using the id(46353), and the Searchsploit command.
I open it in VIM and change the lport and lhost. Then I start a listener using netcat.
The script offers a very clear explanation of the exploit and instructions on how to execute it. I follow the instructions to retrieve the shell.
Here I made a mistake, as per the comments in the script, I needed to name the payload, "PostView.ascx" So, I re-uploaded the payload with the correct name.
Finally, I am able to direct myself to the LFI vulnerable page and get a shell on my listener.
I can now answer every question in task 3.
This netcat shell isn't very stable, I am going to use msfvenom and impacket's smbserver to transfer a meterpreter shell.
Then I start a multi/handler on Metasploit, copy the shell and execute it.
Now I can answer question 2 in task 4.
Now here is where all hell breaks loose. Question 3, was by far the most difficult part of this room in my opinion. It required deep enumeration.
I started running ps and sc query to list all the running processes, and ended up finding the answer to the next question on accident.
I shifted my focus to Program Files (x86) as per the hint and began directing my attention to SystemScheduler.
After an hour and a half of enumeration and a break, I stumbled into this privesc CVE which reveals the service name. https://www.exploit-db.com/exploits/45072
Man that took way too long! I continue to use this same CVE to privesc. The privesc relies on the user having write access to the executable the scheduler is scheduled to run. Leveraging this, we can replace the executable with our own malicious version. Here, the executable of interest is, "Message.exe" I begin by renaming "Message.exe" to "Message.bak"
Then I craft my payload and give it the name, "Message.exe"
Lastly, I start an smbserver to transfer the trojan, start a multi/handler on port 8888 and make my move.
As you can see in my listener, the trojan has been executed and I have Administrator privileges. I went ahead and grabbed the user and root flag.
I was tired at this point and wanted to just bang out the last task. so instead of using winpeas to reveal the installation date, I simply opened a system shell and ran systeminfo.
Overall, this was a very enjoyable and practical room. Personally, the most valuable thing I learned was patience and improved enumeration skills. Additionally, I believe this room is great for newbies to learn about handling and editing public exploits as well as dictionary attacks. Thank you @RealTryHackme for this excellent room! But next time, please exclude Pennywise, he scared the crap out of me anytime I switched tabs.