search

Bank

OS: Linux, Difficulty: Easy, IP: 10.10.10.29

hashtag
Initial enumeration

# Nmap 7.80 scan initiated Sat Sep 28 21:42:44 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,53,22,U:53 10.10.10.29
Nmap scan report for 10.10.10.29
Host is up (0.22s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   220.12 ms 10.10.14.1
2   229.82 ms 10.10.10.29

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 28 21:43:08 2019 -- 1 IP address (1 host up) scanned in 24.59 seconds

Going to http://10.10.10.29 got me the default Apache server page, but as we see there's a DNS server running on port 53 so I added an entry for bank.htb in my hosts file and when visiting the address http://bank.htb we get a login page. No usual login credentials seemed to work, so I ran dirsearch on the URL and got following directories.

The URL /balance-transfer/ stood out to me, so I went ahead and explored the directory and found that there are several hundred files and all are encrypted however there's one file whose size is lesser than all the other files.

The contents of the file revealed credentials for an account on the system.

So we used the credentials to get to the dashboard.

Dashboard

There seemed to be another page called support.php which seemed interesting as it had a file upload capability (These are always juicy.).

Support

Looking at the source revealed that we can upload file with extension htb and have it run as PHP code, which as sweet.

So I used the /usr/share/webshells/php/php-reverse-shell.php from the kali repository and uploaded and from the My Tickets table opened up the file and caught the reverse shell with netcat.

hashtag
User own

hashtag
Root own

I ran linux smart enum on the system and found some interesting things about SUID binaries.

LogoGitHub - diego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levelsGitHubchevron-right

So I went ahead and ran the uncommon binary and found that it dropped us into the root shell.

hashtag
Learning outcome

Directory scans play a very important role in success with web-servers.

PreviousOctoberNextWindows

Last updated