HackPark

Box Description

Brute-Force a websites login with Hydra, identify and use a Public Exploit then escalate your privileges on this Windows machine!

NMAP

[IIS Windows Server: 80] [RDP: 3389]

Nmap scan report for 10.10.169.216
Host is up (0.22s latency).

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2022-10-09T06:04:58
|_Not valid after:  2023-04-10T06:04:58
| rdp-ntlm-info: 
|   Target_Name: HACKPARK
|   NetBIOS_Domain_Name: HACKPARK
|   NetBIOS_Computer_Name: HACKPARK
|   DNS_Domain_Name: hackpark
|   DNS_Computer_Name: hackpark
|   Product_Version: 6.3.9600
|_  System_Time: 2022-10-10T06:06:39+00:00
|_ssl-date: 2022-10-10T06:06:41+00:00; -5s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -5s, deviation: 0s, median: -6s

Content Discovery

Landing Page: [IP:80]
From the Landing Page we can Click Login to get Redirected to BlogEngine Login Portal.

BlogEngine Login Portal Page: [IP:80/Account/login.aspx?ReturnURL=/admin/]

NMAP​

Content Discovery​

NMAP

Content Discovery