From nmap, there are ssh, dns and http service.

Local Picture

This is the web page.

Local Picture

Take a look at the DNS zone transfer data for bank.htb. There are multiple domains. We can add nameserver 10.10.10.29 in /etc/resolv.conf to access those domains.

Local Picture

In bank.htb, there is a login page. I use gobuster to see if there are other pages.

Local Picture

Local Picture

In the directory balance-transfer, there are lots of transfer records.

Local Picture

Local Picture

Most of their size are 58X, but I found one with size 257. It contains the credential.

Local Picture

We can login with the credential. From the source code, there is a comment saying .htb file can be executed as .php file.

Local Picture

Local Picture

In support.php, we can upload files. So I upload a php reverse shell and named it reverse.htb.

Local Picture

Access the web page, we get the shell as user www-data. When searching SUID bit binaries, I notice that there is /var/htb/bin/emergency, which is odd. When I execute it, I become root, and that is the box.

Local Picture