OFFSEC

https://tryhackme.com/room/introtooffensivesecurity

Walkthrough for "Intro to Offensive Security"

Operating System: Linux

Recon

nmap-auto $TARGET all

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: FakeBank | Account
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
|_http-title: FakeBank | Account
7777/tcp open  cbt?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Enumerating the given IP shows that there exists a web page called "Fake Bank". The site is being hosted on both port 80 and 3000 i.e http://10.10.25.12/. The only valuable information so far is the name "Mrs G. Benjamin" and the bank account number 8881. The page doesn't have much else, so it's time to enumerate the directories:

python3 dirsearch.py -e txt,html,php,sh -w /home/z3r0/Resources/wordlists/dir-list.txt -t 10 -u http://10.10.25.12/

The only result that shows is http://10.10.142.104/bank-transfer. Navigating to this page shows the below:

Exploitation

Trying out numbers mostly gave a failure code, something weird was happening so I decided to inspect the javascript that was running behind the scenes with Ctrl-I, following the function pay() attached to the submit button, I was led to the script.js file which showed me the next clue:

The only time the function will execute is when the from value is 2276 and the to value is 8881. Trying exactly that allows the function to execute and transfer money to the negative page on the dashboard! The dashboard now shows a splash note for congratulations as well as a positive balance.