# Bank ## Bank - 10.10.10.29 ### Target Enumeration: OS: Linux IP: 10.10.10.29 User: 37c97f8609f361848d8872098b0721c3 Root: d5be56adc67b488f81a4b9de30c8a68e ### Ports / Services / Software Versions Running 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 53/tcp open domain 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) ### Vulnerability Exploited: Plaintext password stored unencrypted within .acc file Web application allows users to upload malicious files with the extension .htb which execute as php ### Privilege Escalation: /var/htb/bin/emergency gives you a root shell. ### Exploiting the host: Nmap ![](https://lh6.googleusercontent.com/6TMRWWuEQusokUiccixutX_BNw8YkT8WVC4VvxfVvz5t7srGksfGgusJEdaZ4nESiuGAChDk2WIpHYzmFn4z0K5RMQFGw1JBiaCJRedgkCRbFYnGgV-3BgFm5OIueScMsIMHYynW) Add bank.htb to your /etc/hosts file Dirsearch ![](https://lh4.googleusercontent.com/er8Jsejk_EisLhF0I0-4UKFOIq01PTs7z-BaS8FwFOBHhRcyWYsnvT8nhpdtPSeR1XrsZccX9XJ3k8ZmrdCYTbAbjM83rovfRx15NW_LfBhHoYps7odEMTZGTZW2j6CnTmcAUwNX) /balance-transer is a list of accounts. ![](https://lh3.googleusercontent.com/b0i9tUvOa1HuM3vuvzil-73T__hVWFZV-mmnApVXVdn-Z7Ve6uL3_U4FGmXRvsB5zX1fn5FGVmg_mnkiW0z68inXhQfkQQrURpO8f0PZjRtVAy-R-fKwID78RE3OgYkgJWfFM07T) Download them all with wget -r. ![](https://lh3.googleusercontent.com/NmDFVdyl_wb4wUr2kTt7KtNMSMsn51Nhqsf-eQuaZAWquqLS8h8nKTiFwO7u_3mvOBVbqG2tuRCMhYaQdKOubpqfXCsgAZIsyPDjGfFUanQ3a1s2jpy2ogoxhV7UYeElHQAvNbjJ) There are a lot of files so list them all and search for ones with unusual sizes ![](https://lh6.googleusercontent.com/zJ9-zpkYoDW10c2faD45AJvdEZXqDlfib_te8pj_gWGrP5GrmIalbUUiXzpO5zWZmrCcovZeWqRLiOt5t02zgEhVknjVAJ0EysQfS1_2TOOA7EBEFbaJx485Hl31Ty4VLWyhrM7O) Found a non encrypted file:

Login to the application and under support you will find a file upload ![](https://lh5.googleusercontent.com/83TkmS8e8HdZ8WmTu5L5-lnDbXZudzfLoy7UTGm7BTVmNaN77hWmDEMW3E9jvHiKFtSjLufcEC-tKcpDftmODQUIGipuv_0w7WtEHGTUuHmqITk8uW39ln5WCaEhs85WpaynNZ9H) There is quite a bit of filtering on the webapp but checking the sourcecode we see that we can rename the extension to .htb and it will execute as php. ![](https://lh5.googleusercontent.com/H2Ax0IUUwe01nOyWhSaK4APwqr2MKRByTWUjjdm2Hzy_ptv7IPYXP4lQSdNvnyPz-2ZovPR-fClOG8GsOJvNW388OrrISlyLmoWmygtSk-CF1gC_p2fDfswPIm2xbh7yeCqPlzty) Upload shell.htb and execute to get a low priv shell ![](https://lh3.googleusercontent.com/XsS2BS3cpPQc6yxk2n12fu3MPcCIpo1-pxF0pMKEjGQOOsisVGagPu4H04xuU9q8gDzW51OJRfxhb3WtC9Sm7VxfeX295YvApI8ErVbOYktpMyz0dV05XL2I0P9jVV4clu0dN9SF) Now we have a shell ![](https://lh6.googleusercontent.com/tTn3Bwd753tLABeIRvfSxVHo-3LBTMAzNq64_X8r2GHdvVfa-UmBbIFCvFaub1wVGvqXL_Cee4-2YBR5tTxXYxtTjKT8troitde9a_1UGN_uu4oOBncQYx_RZh6X0emR7nLXYB-U) Download all of your tools and execute ![](https://lh3.googleusercontent.com/wd4q8MJRZ9USlASeZR1lqtbIOGrcA-1SERrpFHvo8CBqtY2PN0EXNFWGPzsy7jXjJFxx6FlMqt7YQcTQE4QNqTvEYRE5zqISyULzuWxxEV89Imcy8BvQusNWxgtZVQaihkyKVZmz) After digging around the file system we see an unusal file called emergency

Running it gives you root ![](https://lh6.googleusercontent.com/wU5a4CRG66M6-cSkRKuQ2bAT_amE5i1iebkP8H7xgxzqO1WIR0sTDyRFL_U790YaN7p3yTjG1DWoWKA5qHgvuF8dKtNq1IX-38zm6SJzbVy4NoIv5gsuaZ9VAAQ1c28f08KM3VgI) Now add persistence as there is nmap on this host. Create a crypted password “nmap” and echo it into the /etc/passwd file:

Now login as the user nmap:nmap via ssh to get a root shell. ![](https://lh3.googleusercontent.com/_YUEzCIwHI83u0jThl4PvF5mUlYMktXZMPkLoBAULma7WCtHSd0wsdpZvIX-gcz2BPGf5Jyzg_Bd4LAbmeLONsAoGjaWutYXMWZZT28EZ3_FjiGxxbcs4VPtBLT6Bhu0i3ozWinY)