OFFSEC
https://tryhackme.com/room/introtooffensivesecurity
Walkthrough for "Intro to Offensive Security"
Operating System: Linux
Recon
nmap-auto $TARGET all
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: FakeBank | Account
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open http Node.js (Express middleware)
|_http-title: FakeBank | Account
7777/tcp open cbt?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumeration
Enumerating the given IP shows that there exists a web page called "Fake Bank". The site is being hosted on both port 80 and 3000 i.e http://10.10.25.12/. The only valuable information so far is the name "Mrs G. Benjamin" and the bank account number 8881. The page doesn't have much else, so it's time to enumerate the directories:
python3 dirsearch.py -e txt,html,php,sh -w /home/z3r0/Resources/wordlists/dir-list.txt -t 10 -u http://10.10.25.12/
The only result that shows is http://10.10.142.104/bank-transfer. Navigating to this page shows the below:
Exploitation
Trying out numbers mostly gave a failure code, something weird was happening so I decided to inspect the javascript that was running behind the scenes with Ctrl-I, following the function pay() attached to the submit button, I was led to the script.js file which showed me the next clue:
The only time the function will execute is when the from value is 2276 and the to value is 8881. Trying exactly that allows the function to execute and transfer money to the negative page on the dashboard! The dashboard now shows a splash note for congratulations as well as a positive balance.
Last updated