Hack the Box: Bart Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Bart” which is available online for those who want to increase their skill in penetration testing and black box testing. Bart is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.81 so let’s begin with nmap port enumeration.

From given below image, you can observe we find only port 80 is open on target system.

As port 80 is running http, we open the IP address in our browser. As soon as we open the IP address we get redirected to “forum.bart.htb”.

Since htb doesn’t have global DNS, we aren’t going to be able to resolve the site. So we add a DNS entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb.

When we open forum.bart.htb, we find a website that has been built on wordpress.

When we open bart.htb it redirects us to forum.bart.htb. We enumerate directories for both domains and find a directory called “/monitor” for domain bart.htb.

When we open /monitor directory given by dirb scan and find a login page

We use burpsuite to brute force the login page using /usr/share/wordlists/metasploit/common-root.txt dictionary and find the credentials to be harvery:potter.

We login using these credentials and get redirected to a different domain called monitor.bart.htb.

We add the domain name monitor.bart.htb in /etc/hosts file.

Now when we refresh the page we get a page for server monitoring.

Going through the page we find a link to a site and a domain we need to add to /etc/hosts.

We add domain internal-01.bart.htb we found earlier on the site to /etc/hosts.

We now open internal-01.bart.htb and find a login form.

We capture the login request using burpsuite and modify the request by changing login.php to register.php.

Then we login using the credentials we use to register and find a chat box.

We find a link to an open log link, we capture the request using burpsuite and when we look at the header it looks like filename parameter may be vulnerable to LFI.

We were not able to access any system file but we were able to access log.php and find access logs.

Now we use log poisoning to get reverse shell. We change the user-agent to run whoami command, when we run the command we get the user name.

We were not able get reverse shell using web delivery, so we first create a reverse shell using msfvenom

After creating our shell, we upload the payload to the target machine using powershell. First we setup our HTTP server using python.

We setup our listener using metasploit before executing the target machine.

 

After uploading our shell and setting up our listener, we now execute the payload using log poisoning.

As soon as we execute the payload we get our reverse shell.

After we get the reverse shell we find that the system is 64-bit architecture so we change the payload type to 64-bit architecture.

After running the exploit, we get a 64-bit meterpreter shell. Now we can run post modules properly as 32-bit meterpreter was running into problems.

We use autologin post module to find the the password for Administrator user.

Now enumerating the target machine, we find that port 445 is running internally. So we use port forwarding so that we can use our machine to connect with it.

Now we use impacket-smbserver to create a smb server in our machine. So that we can share our /root directory with the target machine as our shell that we created earlier can be run on the target machine.

Now the the session we had earlier died so port 4444 is free. So we are going to use that payload to get our reverse shell. First we run metasploit in a new tab and setup our listener.

Now we use psexec auxiliary to run our payload hosted on our system.

 

As soon as we run psexec auxiliary we get reverse shell with as administrator.

In c:\Users\Administrator\Desktop we find a file called root.txt, when we open it and find our first flag.

Enumerating the system in c:\Users\h.potter we find a file called user.txt. When we take a look at the content of the file we get our second flag.

 

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

3 Comments Hack the Box: Bart Walkthrough

  1. Skyw3lker

    Could you be MORE explicit specially in the privesc part . i couldn’t follow along

    you are great but always be as explicit as you can, if you may

    Thanks for the great effort, I’m a big fan

    Reply
  2. slfkjsdkj

    Isn’t importing wordlists in Intruder in Burpsuite possible only in the paid version? According to your screenshots of Burpsuite you are using the Community (free) edition…

    Reply
    1. Raj Chandel

      Burpsuite Community edition also allows user to load wordlists. It is possible that there might be a bug that isn’t allowing it to load wordlists. Try reinstalling Burpsuite it might fix the problem.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *