Bank HackTheBox Notes

Genius = https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/

IP address: 10.10.10.29

Recon

nmap -v -sU -sS -p- -A -T4 10.10.10.29

Port 80/tcp – http

Nmap -p 80 -sV 10.10.10.29

Reveals apache httpd 2.4.7 – no known critical vulnerabilities

Default Ubuntu Apache2 page

Port 53/tcp – DNS

Nmap -p 53 -sV 10.10.10.29

ISC BIND 9.9.5-3ubuntu0.14

Port 22/tcp – ssh

Nmap -p 22 -sV 10.10.10.29

OpenSSH 6.6.1p1

Continuing

I had to cheat on this one cause I don’t have the patience for this guessing crap. The accessible host on port 80 can be found at http://bank.htb

Running dirbuster we find the following

Machine generated alternative text: http://bank.htb:80/ Scan Information IResults o Directory Stucture loads index.php login.php suppcrt.php nc Icons logout.php - List View: Dirs: 301 301 302 200 302 301 302 16 Files: 81 Results - Tree View Response Code Errors: o Response Size 518 516 7654 2307 3623 510 329

Response codes:

301 unauthorized

302 redirect

200 successful

Looking at login.php there is nothing extraordinary however, support.php and index.php both provide redirect codes. Looking at this more closely we can see the response size of both these redirects are far from equal. Using burp suite or any sort of redirect blocker we can visualize the page presented before the redirect. Support.php provides an interesting page.

Used to remove automatic redirect

Machine generated alternative text: Remove all JavaScript Remove tags convert HTTPS links to HTTP Remove secure flag from cookies 'latch and Replace hese settings are used to automatically replace parts o Edit match/replace rule Specify the details of the match/replace rule. Type: Replace: Comment. Regex Remove Up Down Enabled o o o o Item Request header Request header Response header Request header Request header Response header Response header Response header Acc 30[121 FOUND Response header 301121 FOUND 200 0K no redirect match X-XSS-Protection 200 0K Literal Reg ex o pressed responses RS origin eaders Disable browser XSS protection no redirect

Now we can look at index.php and support.php properly. The support page has an option to upload files so this is likely our way in. Looking at the source code we can see the following which states that we may use a file extension of .htb to upload php files.

I personally used the following reverse shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell followed by the command nc -lvp 4444. This gives us a shell as www-data which can be used to read the user.txt file.

Using “find / -user root -perm -4000 -print 2>/dev/null” we can find potentially vulnerable commands with a SUID bit.

Machine generated alternative text: find / -user root -perm -4000 -print 2>/dev/null /var/htb/bin/emergency /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-l. O/dbus -daemon- launch-helper /usr/lib/policykit-l/polkit-agent-helper-l /usr/bin/chsh /usr/bin/passwd /usr/bin/chfn /usr/bin/pkexec /usr/bin/newgrp /usr/bin/traceroute6. iputils /usr/bin/gpasswd /usr/bin/sudo /usr/bin/mtr /usr/sbin/pppd /bin/ping /bin/ping6 /bin/su /bin/fusermount /bin/mount /bin/umount

First one that sticks out to me is /var/htb/bin/emergency and of course executing this command gives us a root shell.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: