CyberTrench

A Hackgineer's Blog

Cybersecurity insights, tools, and adventures from the trenches

2 min read
Posted on January 15, 2025

Bank WriteUp

Recon/Scanning

Server headers show its an Ubuntu box

Bank Server Headers

NMAP:

Bank Nmap Scan

Adding bank.htb to your hosts file will reveal a login page

Bank Login Page

Tried SQLi with no success…

/index.php (Status: 302)
/uploads (Status: 301)
/support.php (Status: 302)
/login.php (Status: 200)
/assets (Status: 301)
/logout.php (Status: 302)
/inc (Status: 301)

So many re-directs…

Lets “dig” around with DNS, TCP DNS usually means we can zone transfer…

Bank DNS Zone Transfer

We got a few other names we can add to hosts file

Bank DNS Results

Bank Hosts File

Gaining Access

Started dirsearch in the background, lets enumerate more on HTTP

After playing around with the redirects in Burp, I was able to bypass the redirect

Bank Burp Redirect Bypass

Bank Upload Bypass

Lets try to bypass with a simple rename and exiftool

After failing and failing, I found this…

Bank File Upload

After changing ext…

Bank File Extension Change

Bank Shell Access

Privilege Escalation

Inside the inc directory, the user.php has MySQL creds…

Bank MySQL Credentials

Bank MySQL Access

No luck!

Bank Passwd File

We have write access to passwd… we can get priv esc thru this but instead found a SUID bit binary called emergency

Bank Root Access

We hacked Bank! Great box