# Bank
## Gaining Access
Nmap scan:
```
$ nmap -p- --min-rate 5000 10.129.29.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 09:49 EDT
Nmap scan report for 10.129.29.200
Host is up (0.018s latency).
Not shown: 40271 closed tcp ports (conn-refused), 25261 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
```
DNS being open was the most interesting one.
### Login Credentials
Port 80 reveals a defualt Apache2 Ubuntu page:
When we add `bank.htb` to our `/etc/hosts` file and revisit it, it loads a login page:
There was no SQL Injection or anything on this, and default credentials don't work. I did a `gobuster` scan next to enumerate the possible endpoints.
```
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://bank.htb -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bank.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/05/06 09:54:37 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/server-status (Status: 403) [Size: 288]
/balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
```
The last one was the most interesting. That directory just contained a bunch of `.acc` files.
When sorting by size, there was one outlier.
When viewed, it revealed some credentials.
These don't work for SSH, but using this we can login!
### File Upload
Once logged in, we can see a dashboard forbank transfers.
The Support section allows us to send messages and upload files:
Also, reading the page source reveals another hint.
Using this, we can upload a PHP webshell as `cmd.htb`. Then, we can use `curl` to confirm we have RCE.
Using a `bash` one-liner, we can get a reverse shell.
Grab the user flag.
## Privilege Escalation
### Emergency SUID
I ran a LinPEAS scan to enumerate everything, and found this SUID present on the machine:
```
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 110K Jun 14 2017 /var/htb/bin/emergency
```
For some reason, when I run this binary, it gives me a `root` shell.
Turns out, the source code for the script is here (and it is super unrealistic):
```python
www-data@bank:/tmp$ cat /var/htb/emergency
#!/usr/bin/python
import os, sys
def close():
print "Bye"
sys.exit()
def getroot():
try:
print "Popping up root shell..";
os.system("/var/htb/bin/emergency")
close()
except:
sys.exit()
q1 = raw_input("[!] Do you want to get a root shell? (THIS SCRIPT IS FOR EMERGENCY ONLY) [y/n]: ");
if q1 == "y" or q1 == "yes":
getroot()
else:
close()
```
Rooted!
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/bank.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.