From nmap, there are ssh, dns and http service.
This is the web page.
Take a look at the DNS zone transfer data for
bank.htb. There are multiple domains. We can add
nameserver 10.10.10.29 in
/etc/resolv.conf to access those domains.
bank.htb, there is a login page. I use gobuster to see if there are other pages.
In the directory
balance-transfer, there are lots of transfer records.
Most of their size are 58X, but I found one with size 257. It contains the credential.
We can login with the credential. From the source code, there is a comment saying .htb file can be executed as .php file.
support.php, we can upload files. So I upload a php reverse shell and named it
Access the web page, we get the shell as user
www-data. When searching SUID bit binaries, I notice that there is
/var/htb/bin/emergency, which is odd. When I execute it, I become root, and that is the box.