Bankrobber — HackTheBox Writeup

device
4 min readMar 10, 2020

Bankrobber is an insane Windows Machine where I will perform Cross-site scripting attacks on a prototype web application and port forwarding so I can brute-force an internal application on my local machine.

Initial Reconnaissance

As always, the write-up starts with an Nmap script and version scan to identify the open ports and services.

Visiting the webpage gives a prototype web application where users can easily transfer funds through Bitcoin.

When I successfully created an account, I tried to transfer some funds on a random user but then a pop-up appeared that says that an admin will be the one who will review the transaction.

So the pop-up tells me that there might be an interaction between the user and the admin. Since the admin is the one who will verify the transaction, I set up an XSS attack to verify if the web application is vulnerable.

This verifies that I can perform XSS attacks to the application since I got a GET request from the 10.10.10.154 which is the IP address of the application.

Also, the cookies themselves are just the credentials of any user.

I was able to easily steal the admin’s credentials by using an automated tool that will steal cookies from a user of a vulnerable website.

  • Username: admin
  • Password: Hopelessromantic

Initial Foothold

The admin credentials gave me access to the admin panel of the web application.

My own transactions.

On the admin panel, there’s a Backdoorchecker where I can execute a dir command with any arguments.

But then, when I executed the dir command, it prompted me that I can only access this function from localhost.

Upon inspecting the source code of the Backdoorchecker, it seems like I can easily send an XSS payload through AJAX XMLHTTPRequest .

So I tried calling the function callSys on my XSS payload.

The XSS payload above gets the nc.exe file on my local machine and saves it on Temp folder and executes it from there.

On the C:\ directory, there’s a suspicious executable file.

Upon checking the local ports. I was able to identify that bankv2.exe runs on port 910.

This is where it came to my mind that if I want to brute force the PIN code, I have to perform port forwarding.

Privilege Escalation

I upgraded my shell to metasploit to easily port forward. (You can also use plink)

Then I created a script to brute force the PIN code.

0021 PIN Code

I tried random characters and it accepts any kind of character.

The application crashes when I try to submit above 32 characters since I can no longer see the transfer.exe and it’s replaced by the characters that I sent. So there’s a buffer overflow vulnerability on the bankv2.exe application.

To get an administrator shell, I replaced the executed program by a netcat command to get a system reverse shell.

ROOT!

References

--

--