HackTheBox – Bank Walkthrough

Not a ton to talk about for this box. It’s an interesting CTF style machine but I’m not sure I’d rank it in the OSCP prep category. Just something fun for a low key Sunday Morning 🙂

Defining The Attack Surface

We have 3 open ports and services running.

  • 22 – SSH
  • 53 – DNS
  • 80 – Web Server (http)

Obligatory Nikto scan doesn’t reveal much

Let’s look at the browser

Something to note is that our earlier dig scan did identify the domain bank.htb so I’m going to add that to my /etc/hosts file and try the browser again

Something interesting to note

I always look at the source of at least the landing page on these things. Sometimes it pans out, sometimes not. This time, it looks like we may have found something useful. Sticking it in the back pocket for now

~~MORE ENUMERATION REQUIRED~~

I tried a series of password attacks from the dig output. I inferred that chris.bank.htb was actually an email Chris@Bank.htb so I tried brute forcing it with hydara and rockyou.txt to no avail

More enumeration is needed

This wfuzz scan got us everything we needed

Take note, uploads | assets | inc | server-status | balance-transfer You’ll want to check each of these out.

/balance-transfer is where the juicy stuff is

It looks like each of these files contains some type of encrypted user information

Let’s automate pulling this all down for further inspection

First I fetch the html of the page with curl

curl http://bank.htb/balance-transfers > transfers_raw

then I take that HTML over to http://regex101.com – If you don’t regex, you’re about to see how magical it is

I pasted all of the HTML into regex101 and then I wrote a really simple regex to grab all of the urls

(?>=acc\">).*(?=<\/a>)

What this regex says is

(?>=acc\">) Start after acc">

.* grab everything

(?=>\a>) Stop at </a>

As you can see from the above screen shot, it successfully grabs all of the filenames.

Next I export it

I stuck that in a file called account_links and now we’re ready to pull them all down

for link in $(cat account_links); do wget http://bank.htb/balance-transfer/$link ; done

that command pulled every file down.

Then to make sure I got it all, I cat’d each out with for file in $(ls); do cat $file ; done

Let’s see what we’ve got.

First I try and just pull the password hashes out

Same command as cating them out but with a grep in there

for file in $(ls); do cat $file | grep "Password;done

Now let’s isolate the hash with cut

for file in $(ls); do cat $file | grep "Password" | cut -d " " -f2

And there’s all of our hashes!

As I was scrolling through them looking for anything that stood out, I came across this nugget

Looks like a plaintext password in there

The file size will probably be different so let’s see if we can find the file with ls

One more time with that bash for loop magic | quick and dirty is my middle name today

for file in $(ls); do echo $file ; cat $file | grep HTBB4nk ; done

Initial Access

Using our new found creds thanks to chris, we now have access to his account.

Not a ton to see here.

Flipping over to the support page we find a ticket system that allows for file uploads.

The first thing I try is uploading just a plain text file

Then I recalled that we found that little debug comment on the landing page about files with the extension htb

Sure enough, I tried renaming the same file with the htb extension and it uploaded.

The comment also said that the htb extension would execute as php. Seems pretty obvious this’d be our attack vector for a shell.

First I test it with a simple php script

Okay, now for the shell

No need to reinvent the wheel. Kali has a ton of webshells pre-baked

Don’t forget to change the IP and Port

Looks like the upload worked!

Let’s start our listener and open the shell

To easy – On to root

Getting Root

Something I have a habit of doing lately is dog fooding my favorite linux red team shell, shinobi shell

Once it’s downloaded to my attacking machine, I start up a shinobi server

./ShinobiShell.py -l 444

Next I pull it down to my victim machine

Starting the Shinobi Client is easy. We just give it the -c flag for connect and it will prompt you for your attacking server IP. There’s other flags as well. ShinobiShell allows you to setup an encrypted tunnel if you wish.

./ShinobiShell.py -c

Because you’re prompted after run for the ip, port and encryption key, none of this will live in your logs and it makes it harder to discover

First stop is getting our user.txt flag if we can. Which it appears on this machine we can.

Now we move on to privilege escalation

This is where ShinobiShell really shines. It allows you to pull and push information/files/exploits to and from and through your attacking machine as you need with single commands.

Something I like to start with is suid3num

You can easily get it on your victim machine just by typing suid3num

ShinobiShell will go request over the tunnel to the ShinobiServer for suid3num and the ShinobiServer will go get the latest version and send it back over the tunnel to you

Once we run suid3num we see there’s a binary called emergency in /usr/htb/bin/ that has suid privileges

I decided to yolo and just run it to see what happened … Maybe we’ll get some help text on what it does

JK WE ROOT lol

And that’s the box

Leave a Reply

three + 15 =