# Bank

## Bank - 10.10.10.29

### Target Enumeration:

OS: Linux

IP: 10.10.10.29

User: 37c97f8609f361848d8872098b0721c3

Root: d5be56adc67b488f81a4b9de30c8a68e

### Ports / Services / Software Versions Running

22/tcp open  ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)

53/tcp open  domain

80/tcp open  http Apache httpd 2.4.7 ((Ubuntu))

### Vulnerability Exploited:

Plaintext password stored unencrypted within .acc file

Web application allows users to upload malicious files with the extension .htb which execute as php

### Privilege Escalation:

/var/htb/bin/emergency gives you a root shell.

### Exploiting the host:

Nmap

![](https://lh6.googleusercontent.com/6TMRWWuEQusokUiccixutX_BNw8YkT8WVC4VvxfVvz5t7srGksfGgusJEdaZ4nESiuGAChDk2WIpHYzmFn4z0K5RMQFGw1JBiaCJRedgkCRbFYnGgV-3BgFm5OIueScMsIMHYynW)

Add bank.htb to your /etc/hosts file

Dirsearch

![](https://lh4.googleusercontent.com/er8Jsejk_EisLhF0I0-4UKFOIq01PTs7z-BaS8FwFOBHhRcyWYsnvT8nhpdtPSeR1XrsZccX9XJ3k8ZmrdCYTbAbjM83rovfRx15NW_LfBhHoYps7odEMTZGTZW2j6CnTmcAUwNX)

/balance-transer is a list of accounts.

![](https://lh3.googleusercontent.com/b0i9tUvOa1HuM3vuvzil-73T__hVWFZV-mmnApVXVdn-Z7Ve6uL3_U4FGmXRvsB5zX1fn5FGVmg_mnkiW0z68inXhQfkQQrURpO8f0PZjRtVAy-R-fKwID78RE3OgYkgJWfFM07T)

Download them all with wget -r.

![](https://lh3.googleusercontent.com/NmDFVdyl_wb4wUr2kTt7KtNMSMsn51Nhqsf-eQuaZAWquqLS8h8nKTiFwO7u_3mvOBVbqG2tuRCMhYaQdKOubpqfXCsgAZIsyPDjGfFUanQ3a1s2jpy2ogoxhV7UYeElHQAvNbjJ)

There are a lot of files so list them all and search for ones with unusual sizes

![](https://lh6.googleusercontent.com/zJ9-zpkYoDW10c2faD45AJvdEZXqDlfib_te8pj_gWGrP5GrmIalbUUiXzpO5zWZmrCcovZeWqRLiOt5t02zgEhVknjVAJ0EysQfS1_2TOOA7EBEFbaJx485Hl31Ty4VLWyhrM7O)

Found a non encrypted file:

<div align="left"><img src="https://lh3.googleusercontent.com/Lll0evyJqZTK3wrWo0oOpj11DoBLV7CXuOZlV_KmYFbjcuqXK_zOMAZZaFVL9f2uEjXoEI5GL_6WfkchFR6kcaJmJFJtNbGWVMNKI5XnjKvQuowumg2-NwFlnNzy7TaNFuULZm51" alt=""></div>

Login to the application and under support you will find a file upload

![](https://lh5.googleusercontent.com/83TkmS8e8HdZ8WmTu5L5-lnDbXZudzfLoy7UTGm7BTVmNaN77hWmDEMW3E9jvHiKFtSjLufcEC-tKcpDftmODQUIGipuv_0w7WtEHGTUuHmqITk8uW39ln5WCaEhs85WpaynNZ9H)

There is quite a bit of filtering on the webapp but checking the sourcecode we see that we can rename the extension to .htb and it will execute as php.

![](https://lh5.googleusercontent.com/H2Ax0IUUwe01nOyWhSaK4APwqr2MKRByTWUjjdm2Hzy_ptv7IPYXP4lQSdNvnyPz-2ZovPR-fClOG8GsOJvNW388OrrISlyLmoWmygtSk-CF1gC_p2fDfswPIm2xbh7yeCqPlzty)

Upload shell.htb and execute to get a low priv shell

![](https://lh3.googleusercontent.com/XsS2BS3cpPQc6yxk2n12fu3MPcCIpo1-pxF0pMKEjGQOOsisVGagPu4H04xuU9q8gDzW51OJRfxhb3WtC9Sm7VxfeX295YvApI8ErVbOYktpMyz0dV05XL2I0P9jVV4clu0dN9SF)

Now we have a shell

![](https://lh6.googleusercontent.com/tTn3Bwd753tLABeIRvfSxVHo-3LBTMAzNq64_X8r2GHdvVfa-UmBbIFCvFaub1wVGvqXL_Cee4-2YBR5tTxXYxtTjKT8troitde9a_1UGN_uu4oOBncQYx_RZh6X0emR7nLXYB-U)

Download all of your tools and execute

![](https://lh3.googleusercontent.com/wd4q8MJRZ9USlASeZR1lqtbIOGrcA-1SERrpFHvo8CBqtY2PN0EXNFWGPzsy7jXjJFxx6FlMqt7YQcTQE4QNqTvEYRE5zqISyULzuWxxEV89Imcy8BvQusNWxgtZVQaihkyKVZmz)

After digging around the file system we see an unusal file called emergency

<div align="left"><img src="https://lh4.googleusercontent.com/l8Np5QT4_CKGoalDTbryFbVT5ThRD0ZFWuZhlEX5ykDLZykyJxB3k2gIwV6FytziAUy4IjEHrVYiPO48zJMNJ9iXkuGFZLx59LSF_jfXWOH9tUm4lLAe5yk9zsnBvyl6wETIxN0o" alt=""></div>

Running it gives you root

![](https://lh6.googleusercontent.com/wU5a4CRG66M6-cSkRKuQ2bAT_amE5i1iebkP8H7xgxzqO1WIR0sTDyRFL_U790YaN7p3yTjG1DWoWKA5qHgvuF8dKtNq1IX-38zm6SJzbVy4NoIv5gsuaZ9VAAQ1c28f08KM3VgI)

Now add persistence as there is nmap on this host.

Create a crypted password “nmap” and echo it into the /etc/passwd file:

<div align="left"><img src="https://lh5.googleusercontent.com/C3ZVPBOLGY9sgYakvRVYdbSjusDLq-wSjMf0HIjMdrrv65Slt5ATvXKzlTdXGMUkKgg-Uzli2DjKpXUygs6Rc-o2c4S6lXQo4kby7NBB9F9QNkenL9lvjcYYMnhiPf598aygi4Eo" alt=""></div>

Now login as the user nmap:nmap via ssh to get a root shell.

![](https://lh3.googleusercontent.com/_YUEzCIwHI83u0jThl4PvF5mUlYMktXZMPkLoBAULma7WCtHSd0wsdpZvIX-gcz2BPGf5Jyzg_Bd4LAbmeLONsAoGjaWutYXMWZZT28EZ3_FjiGxxbcs4VPtBLT6Bhu0i3ozWinY)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/bank.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.