CTF: HackDay Albania Bank Walkthrough

This CTF challenge is fun and provides a lot of opportunities to work with SQL injection, writeable file abuse and is actually not that difficult but provides a lot of opportunity to practice skill sets. I really enjoyed this one.

Tools & Techniques

  • nmap, dirb
  • Burp Suite
  • SQLMap
  • Reverse Shell
  • Exploiting a writeable file

Enumeration

(nmap scan)

Discovering the Banking Website

I would highly recommend you check out mrb3n’s walkthrough. Ben gets it right. He writes a script that iterates through the directories trying to find the correct folder. You can improve your ack and cut skills.

Ultimately, I just went down the list copying and pasting the folders into the browser to see what came up.

(robots.txt)

SQL Injection

After running dirb and nikto with little useful results my gut told me this would be a SQL injection vulnerability. I used SQLMap to identify some SQL Injection vulnerabilities. At first, I tried using the vulnerabilities with Burp Suite but that didn’t work. However, I was able to copy and paste the vulnerability into the login form and gain access to a user.

(SQLMap)

You can easily get access by pasting the found SQL injection vulnerability into the contact form field for the username and use a “#” for the password.

I also recommend reading about what reedphish did. The article demonstrates using wfuzz to find a user that could be brute-forced.

The cool thing about using Burp Suite I was able to see that SQL Injection cause a delay before the data loaded. Unfortunately, that’s all I saw.

(Burp Suite)

Uploading a Malicious Image

Once I had access to the login screen of the bank website there was a screen to upload a support ticket with an image. It’s not very clear about what you can or can’t upload so I tried uploading a text file and it gave me this error.

So… I created a malicious image. mal.jpg

Burp Suite

Before I got a reverse shell I tried to use Burp Suite to get the call home but it did not work. So, I pulled information out like the users and started running that information through hydra. This resulted in no credentials after 30 minutes of running.

(Burp Suite – /etc/passwd)

Reverse Shell

Using the pentest monkey’s PHP reverse shell I customized that and uploaded it to the help desk. This worked flawlessly.

(Configuring pen test monkey’s php reverse shell script)

To start the listener for the reverse shell I ran these commands:

(pen test monkey reverse shell established)

Getting PTTY

I tried using python but python 2 is not installed. For whatever reason I didn’t think about trying ptyhon 3 so I ended up trying a new method using a static binary like socat.

I read about this technique here: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Privilege Escalation

Once I had a reverse shell and started snooping around I could see that there was one user on the box who had recently used a sudo command successfully. This turns out to be a possible rabbit hole.

LinEnum

I pulled LinEnum and executed that script from the /tmp folder and found a way up. It turns out that the /etc/passwd was write enabled. This means I could create a new user or put a password in place for taviso.

(/etc/passwd is writeable)

Creating a Root User

First, you’ll need to get a hashed password using openssl. Do this on your attack machine and base64 encode the string.

In the reverse shell you will need to execute this command to create a user in the /etc/passwd file.

Root Flag