HackTheBox Bank Walkthrough

by Vince
in Blog
Hits: 1160

I've been poking around HTB lately.  As I was Googling things and looking at the different boxes in the retired section, I saw a mention of Bank.  I think I started Bank at some point because the first couple of steps with DNS seemed vaguely familiar but sometimes I get pulled away from play time and I don't finish what I started.  So anyway, I had a free minute and started over again yesterday and I'm glad I found my way back because it was fun.  A little unrealistic as these things go sometimes but not annoyingly so. 

We kick off with Nmap:


TCP 53 stands out and of course the web port.

We start digging (no pun intended) into DNS and we find:


We edit the hosts file to add what we just uncovered:


We browse the web port by IP:


Next, we browse by the various names.  Using bank.htb, we find:


Just testing to see what happens when we enter something:


Nothing revealing as of yet:


We fire up GoBuster and we find:


We browse to the page:


This list goes on and on -- I assume there's a needle in this haystack.  When we open one of the files, we find encrypted data. 

Using:  wget -r

We download all of the files into a folder.  We sort them by size and we find:


When we open the file, we get credentials:


We move back to the login page and enter the credentials:


Excellent! 


We check out the support link and we find a place to upload:


I attempt to upload a shell but it prevents us from uploading it.  Creating a folder with a bunch of different bypass techniques:


I try to upload everything but the only files that are successful are those with image extensions:


I move over to Burp to see if I can tamper with some of those post requests and I notice:


Copying our shell to one that has a .htb extension:


Uploading:


Success!


With our handler setup, we view the shell and we get execution:


Grabbing the user.txt file:


Searching for setuid binaries:


We execute /var/htb/bin/emergency and we get root:


The OS is Ubuntu 14 so I imagine there are other roots but this was a second that I found:


Being able to write into /etc/passwd gives us the ability to add an account:


That was fun!  The root was pretty simple while the low priv shell was a little more challenging by comparison.