HackTheBox Bank Walkthrough

    I've been poking around HTB lately.  As I was Googling things and looking at the different boxes in the retired section, I saw a mention of Bank.  I think I started Bank at some point because the first couple of steps with DNS seemed vaguely familiar but sometimes I get pulled away from play time and I don't finish what I started.  So anyway, I had a free minute and started over again yesterday and I'm glad I found my way back because it was fun.  A little unrealistic as these things go sometimes but not annoyingly so. 

    We kick off with Nmap:


    TCP 53 stands out and of course the web port.

    We start digging (no pun intended) into DNS and we find:


    We edit the hosts file to add what we just uncovered:


    We browse the web port by IP:


    Next, we browse by the various names.  Using bank.htb, we find:


    Just testing to see what happens when we enter something:


    Nothing revealing as of yet:


    We fire up GoBuster and we find:


    We browse to the page:


    This list goes on and on -- I assume there's a needle in this haystack.  When we open one of the files, we find encrypted data. 

    Using:  wget -r

    We download all of the files into a folder.  We sort them by size and we find:


    When we open the file, we get credentials:


    We move back to the login page and enter the credentials:


    Excellent! 


    We check out the support link and we find a place to upload:


    I attempt to upload a shell but it prevents us from uploading it.  Creating a folder with a bunch of different bypass techniques:


    I try to upload everything but the only files that are successful are those with image extensions:


    I move over to Burp to see if I can tamper with some of those post requests and I notice:


    Copying our shell to one that has a .htb extension:


    Uploading:


    Success!


    With our handler setup, we view the shell and we get execution:


    Grabbing the user.txt file:


    Searching for setuid binaries:


    We execute /var/htb/bin/emergency and we get root:


    The OS is Ubuntu 14 so I imagine there are other roots but this was a second that I found:


    Being able to write into /etc/passwd gives us the ability to add an account:


    That was fun!  The root was pretty simple while the low priv shell was a little more challenging by comparison. 


    © 2020 sevenlayers.com