AdSense

Monday, July 22, 2019

Bank


BANK

 - Layout for this exercise:



1 - INTRODUCTION 

 - The goal for this exercise is to develop a hacking process for the vulnerable machine Bank, what is a retired machine from the Hack The Box pentesting platform:

 https://www.hackthebox.eu/
2 - ENUMERATION

 - Bank's IP is 10.10.10.29:



- Scanning with Nmap:






- Connecting to the web browser the result is the Apache default page:





- Traying to bind Bank's IP with domain bank.htb (usual format for Hack The Box machines) and adding a new line to file /etc/hosts:




- Now the browser connection is quite different and indeed more promising:





- Applying DirBuster:









- Aside from other folders and files we find the folder balance-transfer, what holds a record of a lot of customers' balance transfers:




- The extension .acc refers to financial account information for Graphic Accounts, a program for creating an maintaining personal budgets, what may include data for bank accounts.

- Reading the first file we find encrypted credentials about a user:




- Something strikes the attention: while most of the .acc files have a size of around 580 Megabytes, however there is one file with around half the size:





- Reading that file we find cleartext credentials for the user Chris Christopoulos:




3 - EXPLOITATION

- First thing we try is SSH with credentials chris:!##HTBB4nkP4ssw0rd!##, though we are not successful:

- However, we can login to the web application using credentials chris@bank.htb:!##HTBB4nkP4ssw0rd!##






- Going to the Support tab there is the upload application Choose File:



- Creating the exploit myshell.htb with Msfvenom:



- Clicking Choose File and uploading myshell.htb:

- Also, filling Title and Message fields with any text:

- Submitting, a ticket is successfully created:






- Setting a Meterpreter handler listening session:


- Now, clicking the ticket:




- The exploitation is successful:


- Getting a shell and improving it:



- Also, it may be useful a bash shell:






4 - CAPTURING THE 1st FLAG

- The user flag is at user.txt:



5 - PRIVILEGE ESCALATION

 - Looking for SUID files:


- Let's use two ways to achieve a root shell, focusing on files /var/htb/bin/emergency and /etc/passwd

5.1 - /var/htb/bin/emergency

 - The file emergency has got the SUID bit so it can be run as root:


- Let's see what happens when running ./emergency:



- Surprisingly it leads to a root shell.
5.2 - Modifying /etc/passwd

 - We can modify /ect/passwd because it is writable:


- Creating a new password and encrypting it:



- Rewriting /etc/passwd so that the password is assigned to the root user:





- Now, using the new password as root user we achieve a root shell:

6 - CAPTURING THE 2nd FLAG

 - The second flag is at file root.txt:














Posted by at
Labels: