Bank
Overview
Initial Foothold : File upload on webserver and execute
Privilege Escalation : Permissions of /etc/passwd file
Enumeration
Starting with port scanning
Lets Start with port 80
Web Enumeration
Visit the webpage
Apache2 Default page was there
Add bank.htb into host file to see the webcontent
Now visit bank.htb
Got Default login page
we don't have any creds so we cannot login into this
Lets enumerate directories using dirbuster
Start the scan
Got some result support.php looks interesting.
Open that webpage but from the response code we can observe that it is redirecting to another webpage
Use brupsuite to intercept the request
Got the webpage but when forwarding it redirects to login page
Change the 302 Found to 200 code
and now forward the request
Got the Support.php webpage
Check the source code of the webpage
There is a comment which tells us to use .htb instead of .php while uploading files
Exploitation
Uploading file is allowed on the webserver by using .htb extension
Upload reverse php code to confirm that we can upload and execute files
Use pentestmonkey php reverse shell payload
change lhost and lport in the code and change the extension to .htb and upload the file on the webserver
Payload was successfully uploaded now access this through upload folder and the name of the payload
Setup Listener for shell
Got the shell as www-data user
Privilege Escalation
After some enumeration got that user has permission to write /etc/passwd file
This means if we will add our user with root permission in this file we will get root access to the machine
Copy the content of /etc/passwd to our localhost
Now create the user password hash using openssl
Now add this to passwd file that we copied from victim host
Format should be same as specified above
Now transfer this file to victim machine and replace this with /etc/passwd file
now change user to yo and enter password pass123
Got the root access
That's all for this box
Good Bye :)
Last updated