Bart HTB
IP
10.10.10.81Initial Nmap scan
sudo nmap -sV -sC -A -oA inital_nmap 10.10.10.81Full Nmap scan
nmap -sV -p- -oA full_nmap_scan 10.10.10.81Nothing new
Ports
80: HTTP
we can see nmap did not follow the redirect lets add domain to our hosts file
to exit out of vim (just in case)
Now we have added to the hosts file let direct our attention to port 80 http
Port 80 HTTP
when we first land on the page if we look at wappalayzer we can see the technologies the web server is using
from what we can tell this web server
uses WordPress version 4.8.2
Has a MySQL database
Uses PHP
is an IIS server (Windows)
First thing let's perform some directory busting
lets this run in the background
quick note
While running ferox buster I noticed I started to get a lot of
200status codes and all of them resulted in the following
Dont get me wrong I love mercats as much as the next person, but i dont want this showing up in my results so lets modify our command a touch
-C: meaning exclude status code
200let's let this run for a bit and come back to it later
Looking at the home page's source we can see some interesting notes left behind
We can make out some possible usernames
looking through the main web page we can see a few other staff members
feroxbuster found a directory
/monitor/
so far we now
PHP Server Monitor v3.2.1
couldn't find any default creds but if we look at the forgotten password section and submit admin
we can see what particular users are on the system
let's refer to the staff we found on the web page and the page's source
woohoo! we found a user
if we try Harvey's last name potter we are authenticated
Looks like it worked but we'll have to add the subdomain to our hosts file
Now we can log back in with Harvey's credentials
if we look at the Servers tab we can see another subdomain
for good measures let's add this to our host's file
When we navigate to the
we are greeted with another login screen
as you can probably guess Harvey's creds dont work, we need a password with a minimum of eight characters
let's perform further directory busting
Keep getting server issues most likely because we are not authenticated
Lets try some common creds with harvey
it actually worked
we found the creds for the login
When we log into the chat we can see the following
From what is discussed there seems to be development code on the server if we look at the page source
this looks promising
let's navigate to
My first thought looks pretty static but playing around with URL parameters
we do get a response back
Wonder if we can add any further functionality to it
Let's use burp and catch a request
Looking at the request, I did try to modify both the filename and username parameters to see if I could inject php code but with no luck
but we can successfully inject php code within the user-agent
before we send this off we want to send it through repeater, Now we can add the parameter cmd= and execute commands on the target system
we now have code execution on the target machine
Establishing a shell on the target system
alright lets set up our shell
we will use the nishang repo
copy our reverse shell script into our working directory
edit our
Invoke-PowerShellTcp.ps1script
we just added this little snippet so when the PowerShell script is executed it will automatically connect to our local machine
set up our python server
set up our netcat listener
from burp let's pick up our
rev.ps1
Quick tip
Once you have typed your PowerShell command out highlight the command and press ctrl u to URL encoded it
we have a shell on the system
Privilege escalation Via iusr
let's run systeminfo and feed it to Wes to see if we can find any exploits
copy and paste the output to a file on our local machine
update wes
let's feed it to Wes
Found a number of exploits, but we will keep these in our back pocket in case we can't find anything
let's check for users on the system
lets check our privileges
as we can see SeImpersonatePriviege is enabled meaning we have a high chance of successfully using juicy potato to spawn a shell as nt authority.
alright let's download some fresh potatoes and get to it
Once we have the juicy potato executable on our local machine let's download it onto the target machine
start a python3 server
well use powershell to retrieve the potato
we should have our jp.exe (JuiceyPotato.exe) within the downloads directory
lets execute jp.exe and see what parameters we need to set
-t createprocess call: we can do both
-p program to launch: we will execute a shell.bat file
-l Com Sever listen port: this can be say port 4444 on the local host
-c CLSID Since we now we are working on a Windows 10 pro machine we can use the following repo to test possible CLSIDs, well use the
{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}
Alright let's get our reverse shell ready
well just
cp rev.ps1 rev2.ps1change the port for connection
Now we want to create a shell.bat file which will run our rev.ps1 , it should contain
Lets download our shell.bat onto the target machine
set up a python server
From the target machine
start a Netcat listener
alright we should have the necessary files on the target system
Let's execute jp.exe
we have a shell as nt authority\system
Last updated