HTB - Bank
Bank is a great Linux machine for starting on Hack the box. There are 2 ways to complete this box (that I am aware of). I will be showing the alternate way that I completed this box the second time I tried.
Port Scan
nmap -sV -sS -p- -oN portscan 10.10.10.29
We only found 3 ports open. At this point I decided to run an aggressive scan on the target and add bank.htb to my /etc/hosts
We get a bit more information. However, for running through how to complete this box, we will go straight to working with port 80.
Enumerating Port 80
If you navigate to 10.10.10.29 you will get the default Apache2 page. However, if you navigate to bank.htb you will arrive at a login page.
From this point on, you should further enumerate bank.htb with gobuster and dirbuster. I strongly suggest use both, as I learnt from this box, you may not find all directories with just one tool.
With gobuster I found the following directories:
/uploads (Status: 301)
/assets (Status: 301)
/inc (Status: 301)
/server-status (Status: 403)
/balance-transfer (Status: 301)
If you wish to go the first way I completed this box look through /balance-transfer/ and test your enumeration skills.
With dirbuster:
We found /support.php with a 302. Because it has a response of 302 that will redirect you every time you try to navigate to that page. On this machine it redirects you back to login page.
This is where the fun starts and you have bring start using burp!
Note: Make sure in burp you are intercepting Server-responses as well.
Start intercepting with Burp and navigate to bank.htb/support.php
When you see this response:
Edit the HTTP header to:
HTTP/1.1 200 OK
You will be directed to /support.php
Obtaining a Reverse Shell
By this point we should know that we should try to upload a PHP reverse shell. When you try to upload the shell it will not accept it unless it is an image.
To make your php reverse shell read as an image, add GIF89a at the very top of your php reverse shell code and this will make your reverse shell be read as an image.
However this still will not work. There is one last thing we need to do in order for our shell to work. If you intercept the request in burp you will see that it will accept .htb files.
Change your extension of your reverse shell to .htb and upload your file and then you will have a reverse shell.
Privilege Escalation
Now that we are in the machine, It is a good idea to have a look around and see what you can find. At this point we can obtain the user flag in the home directory.
To escalate our privileges, you will need to check for SUID executable's that you can run.
find / -user root -perm -4000 -print 2>/dev/null
Run: /var/htb/bin/emergency
And then you have Root Privileges.
Comments
Post a Comment