3. Bank (Easy)
Pre-Setup
Before we start off we will need to edit the hosts file. We are doing this because sometimes the same IP can host multiple websites to its best habit when doing HTB Boxes to edit the /etc/hosts file and add the IP address. Now in our case the box name is Beep so we will edit the etc file as shown below
Reconnaissance
Nmap
To start of with reconnaissance we will start of with a simple nmap service detection command, this is done so that we can get a glance of all the services that is currently running in the server.
We can see on the above scan the 3 ports that is open, now we can do a full scan to check in detail regarding each services this can be done through the following command.
From the above we can tell
Website Recon
Now that we know a website is active we can head to it at http://bank.htb and check what is present within it.
We are greeted with a login page , we can test manual SQLi or automated using burp but there is no results. Therefore we can move on to Fuzzing the domain to check for any interesting directories.
Fuzzing
To fuzz we can use multiple tools such as dirb, dirbuster, wfuzz, ffuf, etc. In this case we've used gobuster because its fast and the wordlist we've used is from SecLists. It will be made available in the Reference below.
On Fuzzing we can see that there is two interesting sub-directories
/inc
/balance-transfer
We can move on to /inc directory and check what's present so that we don't leave any stones unturned.
In the /Inc folder we are presented with directory listing of 4 php files and on checking each one of them we can see its either empty or forbidden to access therefore we move on to the next directory.
When checking the /balance-transfer directory we can see alotta .acc files.
We will download the first one and use cat command to check the contents of the file. In doing so we see its encrypted and it contains the Name, Emai, Password etc.
Now we will check the list of files within the directory listing to check if there are any interesting files that could be useful for us to login into the system.
In searching we find a file with a different file size.
Let's download and view the content of this file
In doing so we got the Email & Password . Using the credentials above we can see that we have successfully logged into the account.
Now its best to navigate the website and see which all functions are available to us to check if there are any attack vectors within the website.
Heading to the support page we see a ticket page and within the ticket page we can see it asks for a file to be attached. This can be a possible File Upload attack, let's check how this works.
On adding the title and message it asks for a file to be uploaded, we can simply upload a blank jpg to check if we can access the file.
After submitting the file we can see that the ticket has been successfully created. We could also see that there is a click here on the attachment section. We will select it and check where the file is uploaded.
In the above picture we can see that it is present in the directory /uploads/white.jpg and its accessible.
Exploitation
Lets now move forward and try to exploit the application. To do so first lets get a PHP reverse shell from pentestmonkey Github.
We can see the reverse shell, click on RAW to get the the RAW php code and copy it to a file reverse.php or any name with the extension php.
Before saving the file change the IP and port numbers within the php file to our IP Address and Port. We can already see within the shell section this reverse shell with automatically run uname, id and spawns TTY shell
After that create a new ticket with the reverse.php file and try to submit and check if we can submit the reverse shell.
Unfortunately it shows we can't upload the file. We can use couple of file upload attacks to check if we can bypass the filter. Lets change the .php extension to .php.jpg
Then re-upload the file and check if it allows for the file to be submitted
We can see from the above picture after changing the file extension it started working, now we will open up a new terminal and create a netcat listener so that we can listen of any incoming connection from the reverse shell. The command for it is
After that we will head back into the website and click on the attachment so that the PHP code will start running.
On clicking on it we can see that it shows that there are errors and the php file is not running. On viewing the page source to check how the file is being uploaded we see a crucial information.
It states for the php file to work we need to change the file extension to .htb this will execute the php file. Therefore we change the extension from .php.jpg to .htb and retry the entire process
Now we have submitted the new reverse shell and have our terminal ready we will re-run the new shell and check if we are getting anything back
From the above picture we can see it just keeps on loading after selecting the attachment, it means that its communicating in the back end, we can check our terminal and see if we are getting any connection.
We got a connection back successfully and we can see we have exploited the machine as a low level user www-data .
Post-Exploitation
Getting User.txt
Now that we have low-level user we can head to /home folder to check if we have access to get the user.txt file as a low level user
In the above picture we can see as a low-level user we have access to the home directory and we can access the user.txt file. We have gotten out user.txt file now for root.txt
Privilege Escalation
Now for privilege escalation there are multiple ways these are some of them
Sudoers List
Going through Config files
Going through Chron Jobs
Going through SUID & SGID files
Looking for Linux Kernel Exploits
But this will take time so to make it easier we can use a tool called linpeas.sh its Linux Privilege Escalation Awesome Script which will do all the things we have stated above and will give the entire data so we can save time and move in for exploitation. The github file will be linked in the reference below.
After download the linpeas.sh file from Github we need to copy it over to the victim machine so we can run the file. To do that first we copy it to a folder
Then we will use a python module called http.server to run a mini server within this folder. This can be done as follows:
This will create a server within that folder and any files present within it is accessible now we move on to victim machine and we change the directory to /tmp folder this is so that we can fetch any files we want as /tmp is accessible to every user group and all of them have read, write, execute privileges within it. After that we use the following command
The above command will connect to our machine and fetch the linpeas.sh file and will copy it to the /tmp folder. We need to make sure we are specifying the port mentioned on the HTTP server so that it can connect properly.
Then we can run the tool by using the command bash linpeas.sh
We can see the tool is running and it will display everything it can find from sudoers list, crontab, SGID, SUID, config files etc. Once the tool is done we can go through each one of them usually the exploits won't work unless its in the range of confirmed or highly probable. But there is an interesting SUID binary file.
The SUID binary file /var/htb/bin/emergency we can navigate to this folder to check what this file is and see if its useful to us
NOTE: SUID Bit allows users in this case a low level user to run a binary file with root privileges temporarily. This helps for escalating the user. For more details check the reference below
On navigating to the file and using the cat command to check what is in it we see the following code
The code above shows that it will pop a root shell. Now that we know it uses SUID bit we can run the program directly by doing python emergency and as per the program typing in y to pop a root shell.
After doing that and running whoami command we can see we have gotten a root shell, now we can move on to /root directory and get our root.txt flag
After submitting root.txt flag we have officially pwned the machine. Congratulations!+
References
Last updated