Reconnaissance
Enumeration
Exploitation
Linux Privilege Escalation
________________________________________
Reconnaissance
Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.
We can see there are Three open ports
First lets see on port 80 what we will get, we have added "bank.htb" in "/etc/hosts" file
hmm interseting we get login page
Enumeration
Lets start directory brute froce attack on "http://bank.htb" for this we will use "Gobuster" tool
We Found couple of directorys, we found "/balance-transfer" direcotry is interseting, there are tons of ".acc" files
If we Sort the Size tab, we can see that one file is different
When we click on the file we get the plain text credentials
Lets go back to the login page and use this credentials, and we are in we get Dashboard page of the HTB Bank
Nothing interseting in Dashbaord Page lets move to the support page
Exploitation
In Support page we can upload files, lets try to upload our php-reverse-shell and try to get reverse shell but when we upload our php-reverse-shell we get an error, after couple of try we manage to get reverse shell with .htb extension we upload our php-reverse-shell with .htb extension and intercept the request and change the extension .htb to .php and send the request
here we get the shell and get the User Flag
Linux Privilege Escalation
Now lets move foward to the Privilege Escalation, we can always check first is to find out which binaries which have SUID bit set and is owend by root
running the "/var/htb/bin/emergency" file gives us root shell