Seven Layers delivers comprehensive, dependable, and cost-effective solutions tailored to our clients’ needs and budgets. We offer cutting edge defensive security strategies to provide you with the ability to protect key systems and information – and can pair those with traditional information technology services to keep your business up and running, so you can focus on the business that is important to you.

    We provide penetration testing services and vulnerability assessments for peace of mind, risk management, and regulatory compliance. And because your employees are often your first line of defense - or weakness – we offer employee education in computer security and corporate security policies.

    Our support services cover your full suite of end user desktops, in-house servers, cloud-based servers, and cloud services. This includes seamless support for employees in all locations, whether they are in corporate offices, or are remote users. We will manage and develop content management systems, customized software and web applications, as well as working with off the shelf applications.


     

    I've been poking around HTB lately.  As I was Googling things and looking at the different boxes in the retired section, I saw a mention of Bank.  I think I started Bank at some point because the first couple of steps with DNS seemed vaguely familiar but sometimes I get pulled away from play time and I don't finish what I started.  So anyway, I had a free minute and started over again yesterday and I'm glad I found my way back because it was fun.  A little unrealistic as these things go sometimes but not annoyingly so. 

    We kick off with Nmap:


    TCP 53 stands out and of course the web port.

    We start digging (no pun intended) into DNS and we find:


    We edit the hosts file to add what we just uncovered:


    We browse the web port by IP:


    Next, we browse by the various names.  Using bank.htb, we find:


    Just testing to see what happens when we enter something:


    Nothing revealing as of yet:


    We fire up GoBuster and we find:


    We browse to the page:


    This list goes on and on -- I assume there's a needle in this haystack.  When we open one of the files, we find encrypted data. 

    Using:  wget -r

    We download all of the files into a folder.  We sort them by size and we find:


    When we open the file, we get credentials:


    We move back to the login page and enter the credentials:


    Excellent! 


    We check out the support link and we find a place to upload:


    I attempt to upload a shell but it prevents us from uploading it.  Creating a folder with a bunch of different bypass techniques:


    I try to upload everything but the only files that are successful are those with image extensions:


    I move over to Burp to see if I can tamper with some of those post requests and I notice:


    Copying our shell to one that has a .htb extension:


    Uploading:


    Success!


    With our handler setup, we view the shell and we get execution:


    Grabbing the user.txt file:


    Searching for setuid binaries:


    We execute /var/htb/bin/emergency and we get root:


    The OS is Ubuntu 14 so I imagine there are other roots but this was a second that I found:


    Being able to write into /etc/passwd gives us the ability to add an account:


    That was fun!  The root was pretty simple while the low priv shell was a little more challenging by comparison. 


    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.