HackTheBox Bank Writeup

Reconnaissance

Enumeration

Exploitation

Linux Privilege Escalation

________________________________________

Reconnaissance

Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.

We can see there are Three open ports 

First lets see on port 80 what we will get, we have added "bank.htb" in "/etc/hosts" file

hmm interseting we get login page

Enumeration

Lets start directory brute froce attack on "http://bank.htb" for this we will use "Gobuster" tool

We Found couple of directorys, we found "/balance-transfer" direcotry is interseting, there are tons of  ".acc" files

If we Sort the Size tab, we can see that one file is different

When we click on the file we get the plain text credentials

Lets go back to the login page and use this credentials, and we are in we get Dashboard page of the HTB Bank

Nothing interseting in Dashbaord Page lets move to the support page

Exploitation

In Support page we can upload files, lets try to upload our php-reverse-shell and try to get reverse shell but when we upload our php-reverse-shell we get an error, after couple of try we manage to get reverse shell with .htb extension we upload our php-reverse-shell with .htb extension and intercept the request and change the extension .htb to .php and send the request

here we get the shell and get the User Flag

Linux Privilege Escalation

Now lets move foward to the Privilege Escalation, we can always check first is to find out which binaries which have SUID bit set and is owend by root

running the "/var/htb/bin/emergency" file gives us root shell           

Leave a Reply

Your email address will not be published. Required fields are marked *