CTF Walkthroughs, Hack The Box

Hack The Box – Bank Walkthrough

August 24, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting a file upload functionality to gain initial access and a binary with the SETUID bit assigned to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed three open ports: port 22 (SSH), port 53 (DNS) and 80 (HTTP)

Enumerating HTTP

When navigating to the web server, the default Apache2 web page is displayed:

Since the name of the box is bank, tried adding “bank.htb” to the /etc/hosts file:

A login page is displayed when accessing the bank.htb site:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has identified a /balance-transfer directory, which when accessed displays a bunch of files:

When accessing any of them, they appear to contain encrypted usernames and passwords:

When sorting the files by size, it looks like one of them is only 257 bytes, whereas all of the other ones are around 580 bytes:

This file contains clear-text credentials:

Authenticating into the web application with the credentials found above:

Navigating to the support page shows what looks like a list of tickets (which is currently empty) and a functionality to submit tickets, that currently allows to attach files:

Copying the Laudanum PHP Reverse Shell to the current working directory:

Changing the IP address and port accordingly:

Logging a support request and attaching the PHP reverse shell:

It looks like the site does not allow PHP files to be uploaded:

When inspecting the source code, noticed a comment mentioning how .htb extension files can be used for PHP code execution:

Renaming the file to have the .htb extension accordingly:

Re-uploading the PHP reverse shell with the .htb extension:

This time, the reverse shell was successfully uploaded:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Since Gobuster found an /uploads folder earlier, the assumption is that this is being used to store uploaded files, navigating to the PHP reverse shell to execute it:

A callback was received on the Netcat listener, granting a shell as the www-data user:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell
  • export TERM=XTERM

Privilege Escalation

Running the following command to identify and binaries with the SETUID and SETGID bit set:

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000

There appears to be an unusual “/var/htb/bin/emergency” binary with the SUID bit assigned. When executing it, a Bash shell is returned:

This has provided root-level access to the machine.

Conclusion

This box was quite CTF-like and not very realistic, apart from the file upload exploitation part. Nonetheless it was still a pretty fun challenge.