HackTheBox
  • HackTheBox
  • Windows
    • Devel
    • Optimum
    • Arctic
    • Granny
    • Grandpa
    • Blue
    • Netmon
  • Linux
    • Lame
    • Beep
    • Bank
    • Blocky
    • Mirai
    • Shocker
    • Nibbles
    • Irked
    • Solid State
    • Cronos
Powered by GitBook
On this page
  • Overview
  • Enumeration
  • Web Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Linux

Bank

PreviousBeepNextBlocky

Last updated 4 years ago

Was this helpful?

Overview

Initial Foothold : File upload on webserver and execute

Privilege Escalation : Permissions of /etc/passwd file

Enumeration

Starting with port scanning

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain?
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache/2.4.7 (Ubuntu)
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-title: HTB Bank - Login
|_Requested resource was login.php

Lets Start with port 80

Web Enumeration

Visit the webpage

Apache2 Default page was there

Add bank.htb into host file to see the webcontent

Now visit bank.htb

Got Default login page

we don't have any creds so we cannot login into this

Lets enumerate directories using dirbuster

Start the scan

Got some result support.php looks interesting.

Open that webpage but from the response code we can observe that it is redirecting to another webpage

Use brupsuite to intercept the request

Got the webpage but when forwarding it redirects to login page

Change the 302 Found to 200 code

and now forward the request

Got the Support.php webpage

Check the source code of the webpage

There is a comment which tells us to use .htb instead of .php while uploading files

Exploitation

Uploading file is allowed on the webserver by using .htb extension

Upload reverse php code to confirm that we can upload and execute files

Use pentestmonkey php reverse shell payload

change lhost and lport in the code and change the extension to .htb and upload the file on the webserver

Payload was successfully uploaded now access this through upload folder and the name of the payload

Setup Listener for shell

kali@kali:~$ sudo rlwrap nc -lvnp 80

Got the shell as www-data user

Privilege Escalation

After some enumeration got that user has permission to write /etc/passwd file

This means if we will add our user with root permission in this file we will get root access to the machine

Copy the content of /etc/passwd to our localhost

Now create the user password hash using openssl

openssl passwd -1 -salt yo pass123

Now add this to passwd file that we copied from victim host

Format should be same as specified above

Now transfer this file to victim machine and replace this with /etc/passwd file

now change user to yo and enter password pass123

Got the root access

That's all for this box

Good Bye :)

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellGitHub
Logo