Penetration testing

Hack the Box (HTB) machines walkthrough series — Bank

Security Ninja
December 24, 2018 by
Security Ninja

Continuing with our series on the Hack the Box (HTB) machines, this article contains the walkthrough of another HTB machine. This one is named “Bank.”

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also hosts some other challenges as well. Individuals have to solve the puzzle (simple enumeration and pentest) in order to log into the platform so you can download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only writeups of retired HTB machines are allowed. The machine in this article, known as “Bank,” is retired.

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Bank machine IP is 10.10.10.29.

3. We will adopt the same methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information for the machine as possible.

4. Below is the output of the nmap scan. As we can see, there are lot of ports opened on this machine, including port 22, 80 and 53. Note that DNS is listening on TCP port 53, so Zone transfer is also possible.

<<nmap -sC -sV -oA nmap 10.10.10.29 >>

5. We’ll start with port 80 enumeration. However, it just points to a standard apache page installation. It looks like that for further enumeration on port 80, it needs a hostname. At this point, the hostname had to be guessed for this machine; this turns out to be bank.htb. This follows the standard convention of HTB machines of the format <machinename>.htb.   

        

6. In order to resolve it, let’s add the entry in /etc/hosts. The screenshot below depicts the same thing.

7. And it can be seen now. The login page is presented now if port 80 is browsed again.

8. We tried several things on this login for an early and easy win, but to no avail. So that means we’re going back to enumeration. We can launch dirbuster to find out if more directories exist by following these steps:

  • Launch dirbuster: <<dirbuster>>
  • URL: http://bank.htb
  • Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
  • Extension : php
  • Start

9. After this, observe the output of dirbuster. An interesting point to note is that for the page support.php, we have a 302 redirect, but the size is too big.

10. Let’s try to see if we can analyze the support.php page contents before the redirection happens.

11. Start up Burp and enable the server intercept response as shown below.

12. Let’s browse to the login.php page again. Now that we can control the redirection, we can see that the support.php page has a complete html page served before any redirection happens.

13. Redirecting the same request to Burp’s responder, we can see the complete request and response for the support.php page.

14. Opening the loaded html for support.php in the browser presents the page below.

15. To load this in Firefox, we can install the NoRedirect plugin and add the URL hxxp://bank.htb/login.php so that no automatic redirects happen under this URL.

16. Now if we browse to the login page, we can see the support.php page, which gives us the ability to upload files.

17. Before we start exploiting the upload feature, looking into the source code of the page reveals an important configuration, which states that .htb files will be executed as php. This means that we have to upload php files in a .htb wrapper.

18. Following the analysis as described above, we will try to upload the php shell as an .htb file in support.php page. But before we do that, let’s edit the file to point back to the attacking machine IP and port.

19. After making the required changes to php backdoor, the file is saved as shell.htb and uploaded as shown below.

20. Before we browse the uploaded file, let’s start a netcat listener on port 1234.

<<nc -nlvp 1234>>

21. Browsing the uploaded file spawns back the shell, as shown below.

22. The shell is spawned back as www-data, but we are allowed to visit the directory of user “chris,” as shown below. The commands below were used to grab user.txt file.

<< cd chris>

<< ls >>

<< cat user.txt >>

23. To perform privilege escalation, one of the first things I always check is to find out which binaries which have SUID bit set.

<< find / perm -u=s -type f 2>/dev/null >>

24. We can see that there is binary under /var/htb/bin/emergency, which is a SUID bit. Browsing to directory and looking into file type and executing it, we can see that the file is 32-bit ELF executable. Upon executing, we are root.

<< cd /var/htb/bin >>

<< ls -l >>

<< file emergency >>

<< ./emergency >>

<< id >>

25. Since we are root now, we’re browsing to get the root.txt file.

<< cd /root >>

<< ls >>

<< cat root.txt >>

So this was another machine from the HTB platform. One interesting thing to learn from this machine was how to analyze 302 redirects. Privilege escalation was straightforward.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue this series with more walkthroughs of such machines.

Security Ninja
Security Ninja