Raw Write-up

$ nmap -p- -T4 10.10.10.29
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-12 13:30 MST
Nmap scan report for 10.10.10.29
Host is up (0.056s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http

 

Port 80 shows the default apache splash screen. Running gobuster while I investigate port 53

Gobuster produced no output

I tried dig @10.10.10.29 10.10.10.29 and [email protected] localhost but it doesn't work

/start help from a walk through/

HackTheBox's default nameserver is {name of box}.htb

Doing dig @10.10.10.29 bank.htb shows that its a valid address

Added that to my /etc/hosts to view the webpage

/end help/

$ gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt --url http://bank.htb

Outputs:

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://bank.htb
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/12 14:54:33 Starting gobuster
===============================================================
/uploads (Status: 301)
/assets (Status: 301)
/inc (Status: 301)
/server-status (Status: 403)
/balance-transfer (Status: 301)
===============================================================
2020/11/12 15:14:49 Finished
===============================================================

 

Python Webcrawler Script

It prints one file/website that does not have an encryption note.

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: [email protected]
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

 

Used to login at bank.htb/login.php

On the support page's source code you see that they allowed .htb files to run as .php

Created a php reverse shell from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Got user flag from home/chris/user.txt

127c9d1c483b8a8d48c23e812d8e1ea4