Bank
In this write-up, we will solve a box on hackthebox called Bank.
Reconaissance
nmap
as usual we will start by scanning the open ports and running services
nmap -sC -sV -oA nmap/bank 10.10.10.29
The scan has revealed three open ports: port 22 (SSH), port 53 (DNS) and 80 (HTTP)
Enumerating HTTP
When navigating to the web server, the default Apache2 web page is displayed:
Since the name of the box is bank, tried adding bank.htb to the /etc/hosts file:
now if we navigate to http://bank.htb we will be redirected to http://bank.htb/login.php
The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:
dir to specify the scan should be done against directories and files
-u to specify the target URL
-w to specify the word list to use
-x to specify the extensions to enumerate
-t to specify the number of concurrent threads
gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100
┌──(root㉿kali)-[/home/kali/hackthebox/easy/bank]
└─# gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bank.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2023/08/14 07:06:02 Starting gobuster in directory enumeration mode
===============================================================
/login.php (Status: 200) [Size: 1974]
/support.php (Status: 302) [Size: 3291] [--> login.php]
/uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/.html (Status: 403) [Size: 280]
/.php (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 7322] [--> login.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/.html (Status: 403) [Size: 280]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 288]
/balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
Progress: 881724 / 882244 (99.94%)
===============================================================
2023/08/14 07:17:51 Finished
===============================================================The scan has identified a /balance-transfer directory, which when accessed displays a bunch of files:
When accessing any of them, they appear to contain encrypted usernames and passwords:
clicking on the size button arranges the files by size from the lowest to the highest
since all the encrypted files are in the range 581 and 585 the files with size 257 stands out
so let's download the first file with 257 size and take a look at it :
all the other files are encrypted successfully but this one is not encrypted
so let's use this email and password to login
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
and we managed to login successfully
Foothold as the user www-data
let's navigate to the directory /support.php which we've found using gobuster
we will upload a php reverse shell, you can find one in this github repository
setup a listener
but when we submit we get a restriction
if we read the source code of /support.php we will find a comment mentioning how .htb extension files can be used for PHP code execution:
so let's change the extension from .php to .htb
before submitting don't forget to set up the listener at the port you have specified in the php reverse shell
and it's successfully uploaded
now click here to execute the php reverse shell
and if you go back to you listener you will find that you have got a shell as the user www-data
Upgrade the Shell
you will find the user flag at
/home/chris/user.txtAlternative Way to get Foothold by Bypassing login using EAR Vulnerability
Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application.
this web application has login functionality. Users who have an account can access content/features in this web application only by logging in. Unauthenticated users are redirected to the login page for them to first log in and get an authenticated session. This is one of the many situations where the Execute After Redirect or EAR vulnerability may creep in. An EAR vulnerability arises in an improper implementation of code where the developer assumes that the execution stops after redirect. However, that is not true, and the remaining part of the page also gets executed.
The PHP code checks if the user is authenticated or not. If not, it will redirect them to the login page located at /login.php. But there’s no one telling the program to stop executing all the code after the redirect. So, all the code that should run only when a user has a valid session will also get executed. If we use a proxy tool such as BurpSuite, we can modify the response of 302 Found redirect into a 200 OKresponse.
we know that the upload functionality exist in /support.php but only authenticated users can access it.
open burpsuite and intercept the /support.php request
right click -> Do Intercept -> Response to this request
and then click on forward you will get a 302 Found Request change it to 200 OK
when you change it then click on forward
and after clicking forward return to browser you will see that the support.php page is executed
i have already uploaded a reverse shell this is why it's on the top for you it will be empty
upload the php reverse shell file with .htb extension and before submitting intercept the request and do the same steps (change 302 Found to 200 OK) to trigger EAR vulnerability
make sure to setup a listener at the port you have specified in the reverse shell
nc -nvlp <PORT>after you have uploaded a reverse shell click here and also intercept it and do the same steps (because this functionnalities are for authenticated users)
and we will get a shell as the user www-data
Privilege Escalation Through CVE-2021-4034
upload linpeas.sh to the target machine using a python share and wget to download it
before you run it make sure it's executable
./linpeas.sh
here is an exploit by berdav
clone this repository in your attackbox open a python share and upload the entire directory to the target machine
after you do this Just execute make, ./cve-2021-4034 and enjoy your root shell.
Privilege Escalation through Unknown SUID
there is another way to privesc using an unknown SUID binary which is spoted using linpeas
or you can spot it manually using this command :
find / -perm -u=s -type f 2>/dev/null
if we run this binary for some reason a bash shell with root privileges is returned
Privilege Escalation Through Writeable /etc/passwd
The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there.
Note that the /etc/passwd file is world-writable:
ls -la /etc/passwd
Generate a new password hash with a password of your choice:
openssl passwd newpasswordhere
copy the root user's row and append it to the bottom of the file, changing the first instance of the word "root" to "newroot" and placing the generated password hash between the first and second colon (replacing the "x").
nano /etc/passwd
Now switch to the newroot user, using the new password:
su newroot
and we have solved the lab
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
Last updated
Was this helpful?