12/2020
Target IP: 10.10.10.81.
The following machine is a Windows box that hosts an introduction website of a company. Threat actor got initial access to the monitor.bart.htb by brute-forcing the account discovered from the forum page. A combination of log injection and local file inclusion that led to server-side code execution gave the attacker a shell to the victim machine under iusr privileges. After upgrading that 32-bit shell to a 64-bit one, the threat actor was able to run some standards enumerate queries and got administrator auto logon credential. The attacker then mapped the entire C partition to drive letter x in order to inspect it with iusr account.
medium
User: 625b6c7aa299599acae0125d3af3830f
Root: 0074a38e6eac2d3785741713b3bfa2dc
Nmap port scan result.
Nmap service scan result.
! Discover service: HTTP (80) MS IIS server.
Examining the web application on port 80.
Employees identity information is available on the web application.
! Discover internal email: [email protected], [email protected], [email protected] .
The company has recently hired a new employee – Daniella Lamborghini.
! Daniella internal email is probably [email protected]
Inspecting the web site source code reveals another employees - Harvey Potter.
Harvey information was commented out because it breaks the layout.