Let’s get started!
This is the initial step in order to scan the open services in the machine.
COMMAND: nmap -sC -sV -O -oA bank 10.10.10.29
As we can see there are 3 ports open as per the above nmap scan.
Port 22 ,53,80.
Let’s enumerate webserver.
I saw that DNS was open so I edited /etc/hosts to contain the IP of the machine plus the name server of the machine. The default name server for all HackTheBox machines is <name of box>.htb so I edited the hosts file as followed
COMMAND: echo “10.10.10.29 bank.htb ” > /etc/hosts
Let’s open the webserver at bank.htb.
The URL is redirecting to the login.php page every time so I decided to stop the redirection but my there is no supported version of the add-on to my firefox browser.
So,i used burpsuite for the further process.
Now I’m able to access http://bank.htb/ with the help of a burp suite repeater and we can see the transactions at the bank and some other information…
Fire up the burpsuite and intercept the packets and press control + r to transfer the packet to repeator!
If we now go to /support.php we can see you can upload “tickets” as images, if you curl http://bank.htb/support.php and scroll through the HTML code you can see that the admin left himself a little nice note for himself.
We can use burp suite repeater and upload a PHP shell to get a reverse shell!
“<! — [DEBUG] I added the file extension .htb to execute as PHP for debugging purposes only [DEBUG] →”
I used php shell as followed [ PENTEST-MONKEY-PHP-SHELL]
Changed the IP to my IP and named it Exp1o1t9r.php I tried uploading it as Exp1o1t9r.php but the site only wanted images uploaded. Then I remember that .htb runs as PHP so I added the .htb extension for my PHP shell since it can execute as PHP “for debugging purposes” and the shell it’s uploaded. Now all I had to do is set up a Netcat listener to catch the shell.
nc -v -n -l -p 4444
once we catch the shell we go into the box as
www-data in the directory
We can go into the user’s home directory chris and get the user flag user.txt,
Got User Flag!
To perform privilege escalation, one of the first things I always check is to find out which binaries which have SUID bit set.
find / -perm -u=s -type f 2>/dev/null
www-data@bank:/var/htb$ ls -la
drwxr-xr-x 3 root root 4096 Jun 14 18:25 .
drwxr-xr-x 14 root root 4096 May 29 18:41 ..
drwxr-xr-x 2 root root 4096 Jun 14 18:30 bin
-rwxr-xr-x 1 root root 356 Jun 14 18:30 emergency
it seems like the system administrator has left an emergency exploit in case he forgets the root password of the system…
My privilege before running the exploit
uid=33(www-data) gid=33(www-data) groups=33(www-data)
My privileges after running the emergency exploit
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
and now we can get the root flag.
Got Root Flag!
If you like my writeup, Give me Respect on my HTB profile: Exp1o1t9r