The next in the list is: BART!
This one is a hard-ish rated box and the one I’m the most proud of! With just about 1500 roots, it Must be hard!
Let me try and grapple the beast.
As always, I start with a nmap scan of the machine.
As we can see, only port 80 is open.
Alright, so I go to http://10.10.10.81 in my browser. However, it keeps automatically redirecting me to forum.bart.htb. So, I added forum.bart.htb to 10.10.10.81 in my /etc/hosts.
After that, when I tried going to http://10.10.10.81, it redirected me to forum.bart.htb; however this time as I had the correct IP address in /etc/hosts, it showed me the correct site.
So, I started running gobuster and all kinds of things to check for vulns, but couldn’t find any. So while I was searching, and went to a random directory in the IP address I was not getting redirected but instead getting a page not found.
So I thought there must be more pages in the IP address and not in the redirected page. Alas, I found multiple pages in IP address directories after running wfuzz.
So, after I went to http://10.10.10.81/forum; there it was the normal forum page. So /monitor had to have something new.
Now, I did not know the password or the username.
But in the original forum site, when I looked at the source code; there were details of a person which was commented out.
Hence, from this I deduced and tried some combinations until harvey:potter worked!
Now, I could login and see the servers being monitored.
Hmmm, so there is another site being hosted called internal-01.bart.htb.
So there is where I proceed.
NOTE: I had to add all of these into /etc/hosts too.
The internal site presents me with this page:
I tried all combinations of passwords and usernames. I tried to inject SQL of all sorts but nothing worked. Then, I thought to myself; maybe there is like a secret.txt or some file containing those details lying somewhere. So I gobustered the thing to find out more.
Okay, the /log directory looks interesting. Let me try and see what’s inside more.
Alright, I’ve found two more files: log.php and log.txt
I visit log.txt to check what’s in it.
Okay, so it seems to be some sort of logged value.
Then, i check log.php and get these errors:
Most definitely, it’s asking for the two parameters. So I provide it with two parameters filename with the previously found log.txt and username with the value present in log.txt, harvey.
This way the 0 changed to one and one more log was added to log.txt when I checked it.
So I knew I could add values represented by username into filename.
I found out that while I could change the filename, I could not change the username. After I thought for sometime, it was clear! What if I can’t change the username, I can change other parameters being logged; like the User-Agent.
So, when I did, it did get logged in; so I implemented a simple shell_exec shell php code and injected it.
I also later found a folder microsoft/windows inside the log directory where I added the code.
Now, time for the real deal. I host the nishang Invoke-PowerShell script and try and run it through the command.
All the while waiting through netcat.
This gives me the initial shell.
All good. Initial shell done.
As you can see, I am running as iusr which is a service user. When I checked out the privileges; it had all the privileges of a service user. The operating system running in this machine is Windows 10 pro and a perfect host for the JuicyPotato.
So now we know what to do ;)
I run JuicyPotato, while listening for a reverse shell.
Boom! Got system in this box.
This box was legendarily hard and took some time but very very worth it! :D
No comments:
Post a Comment