IP address: 10.10.10.29
nmap -v -sU -sS -p- -A -T4 10.10.10.29
Port 80/tcp – http
Nmap -p 80 -sV 10.10.10.29
Reveals apache httpd 2.4.7 – no known critical vulnerabilities
Default Ubuntu Apache2 page
Port 53/tcp – DNS
Nmap -p 53 -sV 10.10.10.29
ISC BIND 9.9.5-3ubuntu0.14
Port 22/tcp – ssh
Nmap -p 22 -sV 10.10.10.29
I had to cheat on this one cause I don’t have the patience for this guessing crap. The accessible host on port 80 can be found at http://bank.htb
Running dirbuster we find the following
Looking at login.php there is nothing extraordinary however, support.php and index.php both provide redirect codes. Looking at this more closely we can see the response size of both these redirects are far from equal. Using burp suite or any sort of redirect blocker we can visualize the page presented before the redirect. Support.php provides an interesting page.
Used to remove automatic redirect
Now we can look at index.php and support.php properly. The support page has an option to upload files so this is likely our way in. Looking at the source code we can see the following which states that we may use a file extension of .htb to upload php files.
I personally used the following reverse shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell followed by the command nc -lvp 4444. This gives us a shell as www-data which can be used to read the user.txt file.
Using “find / -user root -perm -4000 -print 2>/dev/null” we can find potentially vulnerable commands with a SUID bit.
First one that sticks out to me is /var/htb/bin/emergency and of course executing this command gives us a root shell.