Hack The Box :: Bank

Virtual Hosting | DNS Recon | File Upload Sanitization

Starting win a NMAP scan

Starting with visiting the web page gives a default page.

Even dirb doesn't give is much. Lets start looking at DNS. Looking for zone transfer.

So bank.hrb is also a domain listed. Lets try that by using this box as our DNS server.

And now we get a different webpage.

Default passwords or SQL injection doesnt work. Trying dirserarcher gives us a balance-transfer directory.

This directory contains files that contains transactions that are encrypted.

I downloaded them all and sorted them by size. There is one file that is way smaller than the reset. And looks like the encryption failed on them.

We are able to login to the website using these credentials. After login go to the support page and try up upload a php reverse shell but looks like there is some kind of filtering. Viewing the source tell us that for debug reasons .htb file extension is allowed.

So renaming the shellcode to .htb works.

And we get a reverse shell using pre-installed netcat on the system.

There is mysql root password embedded in one of the PHP script but cant seem to do much with it.

Running a linux enum script gives coupe of binaries that have the set owner(SUID) bit set.

The emergency binary looks interesting and its owned by root and as soon as we run it we get a shell.