HackTheBox: Bank
01/13/2024
This is another one of the retired easy boxes that they've re-released for a month.
I have less than 90 minutes for this one, so Im going to lean heavily on the writeup. Im trying to bang out one of these every day this week to get exposure to as much material as possible as fast as possible.
Enumeration
Three ports open: 1) 22 (SSH) 2) 53 (DNS) 3) 80 (HTTP)
We can guess that the hostname is "bank.htb" and add this to /etc/hosts. THis box actually DOES use virtual routing, so if you put the IP in the URL it brings you to a different page than if you type in the actual hostname.
The landing page appears to be a login form on the site "HTB Bank". What I would probably do at this point is have SQLmap running on it in the background, but the writeup basically said to save your time because its not vulnerable. Instead, the writeup runs dirbuster on it and finds a directory named "/balance-transfer".
When I try to navigate there we see that directory listing is enabled, and I see a long list of files consisting of what appears to be hexadecimal strings ending in a ".acc" extension. Assumedly each one corresponds to an account?
That is the case. Each record is an ASCII text file with the fields "Full Name", "email", "Password", "creditcards", "balance".
The "full name", "email", and "password" fields are all encrypted. Each one is 128 characters (NOT all hex). Whatever kind of encryption this is does not look easy to break.
Anyway, the writeup looked more closely and found one file that was a smaller size than all the rest. In this one, the encryption had failed, and the credentials are in plain text.
We see the contents are
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===
Assumedly we can use these credentials to sign in to the site: "chris@bank.htb:!##HTBB4nkP4ssw0rd!##"
Logging in to the bank app
Again, Im entirely following the writeup here.
A comment in the page source states
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
So basically, and file we upload with the attachment .htb
will execute as php.
We can upload a php reverse shell and get a foothold that way.
Success. Just had to change the reverse shell extension from .php to .htb, then click the 'attachment' on the submitted support ticket, and we have a shell.
Privilege Escalation
We enter the box through the reverse shell as 'www-data' in the root ("/") directory.
We can get the user flag from /home/chris.
First check was to run "sudo -l", but we need to know the password for www-data to do this, so that's a no-go.
Next I search for abusable SUID binaries using
find / -perm /4000 2>/dev/null
and get a decent list:
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount
Of these, one in particular stands out:
/var/htb/bin/emergency