# Bank
## Gaining Access
Nmap scan:
```
$ nmap -p- --min-rate 5000 10.129.29.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 09:49 EDT
Nmap scan report for 10.129.29.200
Host is up (0.018s latency).
Not shown: 40271 closed tcp ports (conn-refused), 25261 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
```
DNS being open was the most interesting one.
### Login Credentials
Port 80 reveals a defualt Apache2 Ubuntu page:
When we add `bank.htb` to our `/etc/hosts` file and revisit it, it loads a login page:
There was no SQL Injection or anything on this, and default credentials don't work. I did a `gobuster` scan next to enumerate the possible endpoints.
```
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://bank.htb -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bank.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/05/06 09:54:37 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/server-status (Status: 403) [Size: 288]
/balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
```
The last one was the most interesting. That directory just contained a bunch of `.acc` files.
When sorting by size, there was one outlier.
When viewed, it revealed some credentials.
These don't work for SSH, but using this we can login!
### File Upload
Once logged in, we can see a dashboard forbank transfers.
The Support section allows us to send messages and upload files:
Also, reading the page source reveals another hint.
Using this, we can upload a PHP webshell as `cmd.htb`. Then, we can use `curl` to confirm we have RCE.
Using a `bash` one-liner, we can get a reverse shell.
Grab the user flag.
## Privilege Escalation
### Emergency SUID
I ran a LinPEAS scan to enumerate everything, and found this SUID present on the machine:
```
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 110K Jun 14 2017 /var/htb/bin/emergency
```
For some reason, when I run this binary, it gives me a `root` shell.
Turns out, the source code for the script is here (and it is super unrealistic):
```python
www-data@bank:/tmp$ cat /var/htb/emergency
#!/usr/bin/python
import os, sys
def close():
print "Bye"
sys.exit()
def getroot():
try:
print "Popping up root shell..";
os.system("/var/htb/bin/emergency")
close()
except:
sys.exit()
q1 = raw_input("[!] Do you want to get a root shell? (THIS SCRIPT IS FOR EMERGENCY ONLY) [y/n]: ");
if q1 == "y" or q1 == "yes":
getroot()
else:
close()
```
Rooted!
