Open in app

Sign in

Write

Sign in

TryHackMe : HackPark

Emre Alkaya
5 min readNov 18, 2020

Difficulty level: Medium

Room: HackPark

“Today we will be looking at HackPark from TryHackMe.

Info : Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!

Task 1 : Deploy the vulnerable Windows machine

Deploy the machine and access its web server.

No answer needed.

Whats the name of the clown displayed on the homepage?

We can do an nmap scan to get information about the server.

We can see that port 80 is open.

We can visit web site.

You can research the image and you can learn what’s picture displayed on the homepage.

ans : penny***

Task 2 : Using Hydra to brute-force a login

What request type is the Windows website login form using?

We can use burpsuit for this question.

We can see request type.

Guess a username, choose a password wordlist and gain credentials to a user account!

We can use burpsuite or hydra.

I’ll use hydra.

We can found password.

We are inside the admin console.

Task 3 : Compromise the machine

Now you have logged into the website, are you able to identify the version of the BlogEngine?

We can see version on admin console.

What is the CVE?

We have to edit this file.

We’re listening to what we’re writing.

Now we will upload the file we edited to the system via file manager.

After we discard the file, we go to the directory that was given to us.

We are inside the machine.

Who is the webserver running as?

Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually!

We are creating backdoor using msfvenom.

We open a web service using python to send the file to the system.

We’re pulling the file from our own website.

We’ll access the system via msfconsole.

What is the OS version of this windows machine?

here “winpeas.bat” I used.

We’re moving the file to the system we’re going to use.

And we’re running it.

What is the name of the abnormal service running?

What is the name of the binary you’re supposed to exploit?

Message.exe

We changed “message.exe” to “message.bak”

And then we changed “shell.exe” to “message.exe”

We are inside machine.

What is the user flag (on Jeffs Desktop)?

We found user flag.

What is the root flag?

we found root flag.

Task 5 : Privilege Escalation Without Metasploit

Using winPeas, what was the Original Install time? (This is date and time)

We used winpeas upstairs.

So I completed it all.

This box was really fun! I love the ones that have a story/theme that goes along with them.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!

Tryhackme
Hackpark
Hacking
Penetration Testing
Cybersecurity

--

--

Emre Alkaya

Written by Emre Alkaya

71 Followers

Interested in offsec

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams