22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp open domain
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Plaintext password stored unencrypted within .acc file
Web application allows users to upload malicious files with the extension .htb which execute as php
/var/htb/bin/emergency gives you a root shell.
Add bank.htb to your /etc/hosts file
/balance-transer is a list of accounts.
Download them all with wget -r.
There are a lot of files so list them all and search for ones with unusual sizes
Found a non encrypted file:
Login to the application and under support you will find a file upload
There is quite a bit of filtering on the webapp but checking the sourcecode we see that we can rename the extension to .htb and it will execute as php.
Upload shell.htb and execute to get a low priv shell
Now we have a shell
Download all of your tools and execute
After digging around the file system we see an unusal file called emergency
Running it gives you root
Now add persistence as there is nmap on this host.
Create a crypted password “nmap” and echo it into the /etc/passwd file:
Now login as the user nmap:nmap via ssh to get a root shell.