Plaintext password stored unencrypted within .acc file
Web application allows users to upload malicious files with the extension .htb which execute as php
Privilege Escalation:
/var/htb/bin/emergency gives you a root shell.
Exploiting the host:
Nmap
Add bank.htb to your /etc/hosts file
Dirsearch
/balance-transer is a list of accounts.
Download them all with wget -r.
There are a lot of files so list them all and search for ones with unusual sizes
Found a non encrypted file:
Login to the application and under support you will find a file upload
There is quite a bit of filtering on the webapp but checking the sourcecode we see that we can rename the extension to .htb and it will execute as php.
Upload shell.htb and execute to get a low priv shell
Now we have a shell
Download all of your tools and execute
After digging around the file system we see an unusal file called emergency
Running it gives you root
Now add persistence as there is nmap on this host.
Create a crypted password “nmap” and echo it into the /etc/passwd file:
Now login as the user nmap:nmap via ssh to get a root shell.