HackTheBox | Bank

Friday. September 15, 2023 - 3 mins

Overview

Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry.

Nmap

$ nmap -A -T4 10.10.10.29
Starting Nmap 7.91 ( https://nmap.org ) at 2023-07-28 10:27 +01
Nmap scan report for 10.10.10.29
Host is up (0.067s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE      VERSION
22/tcp   open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp   open     domain       ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp   open     http         Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2068/tcp filtered avocentkvm
2196/tcp filtered unknown
3031/tcp filtered eppc
3920/tcp filtered exasoftport1
3995/tcp filtered iss-mgmt-ssl
5633/tcp filtered beorl
9010/tcp filtered sdr
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

At first I see just the default apache2 page, but when I added the bank.htb to my /etc/hosts, now I can see the HTB bank login :

![[Pasted image 20230728103500.png]]

I run ffuf to look for possible subdomains but nothing found.

Then I run gobuster :

![[Pasted image 20230728104000.png]]

I found then /balance-transfer using a large wordlist which contains a lot aff .acc files.

What is an ACC file? Contains financial account information for Graphic Accounts.

![[Pasted image 20230728121503.png]]

I used $ wget -r -np http://bank.htb/balance-transfer to download all files in my machine :

![[Pasted image 20230728121657.png]]

There is a lot of files so I tried to filtre a bit I looked for “bank.htb” in files and I found an interesting file :

![[Pasted image 20230728122829.png]]

So now I logged in as chris user :

chris@bank.htb : !##HTBB4nkP4ssw0rd!##

![[Pasted image 20230728123149.png]]

The dashboard contains two endpoints (*index.php* & *support.php*).

support.php contains an upload file section, so I said maybe I can upload a file and get a reverse shell :

![[Pasted image 20230728151923.png]]

I tried at first uploading files with different extensions (php, phtml…) but none of them actually worked.

By moving around the page I saw at the source code of support.php a comment that says:

<-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->

So now all what I should do is upload a revshell.php file which I’ll rename to revshell.htb :

![[Pasted image 20230728152244.png]]

When I click the Click Here I get I connection back to my netcat listener.

And Voilà I am in as www-data user!

![[Pasted image 20230728152205.png]]

PE

I tried to find possible files with suid permission :

find / -perm -4000 -exec ls -la {} \; 2>/dev/null

![[Pasted image 20230728154001.png]]

Hemm there is a /var/htb/bin/emergency file there with suid bit set.

I run it and yeah I’m ROOT!!

Root flag

![[Pasted image 20230728154231.png]]

MACHINE PWNED!

And that was it, I hope you enjoyed the writeup. If you have any questions you can Contact Me.

Happy Hacking!

Hicham Ouardi

Cybersecurity Engineer | Offensive Security Intern