# Official Bank CTF Walkthrough ##

BANK\_CTF WRITEUP *By Jacvbtaylor* ``` Created by @jacvbtaylor / @jacvb https://tryhackme.com/jr/bankctf completed Oct 7, 2022 ``` {% embed url="" %} ### INTRO Roger at work mentioned a new bank opening up in one of the small towns in your area. He said someone had reached out to him about designing their website but he declined because the pay was going to be too little and said whoever ends up building the site probably won’t know what they are doing. You decide you want to check out the site and look for some vulnerabilities... ### OBJECTIVE Capture all 6 flags by taking over the bank's server. ### STEP 1: Recon Using my [NMAP ](https://github.com/jacvbtaylor/nmapscript)script, I was able to locate 2 open ports for the target machine, port 22 and 80. This means the bank's server is hosting a website and has remote access via SSH. You can run a simple nmap scan using `nmap -sN `

Next, I want to check out their website by visiting the IP address in my browser. The first thing I notice is a construction page with a broken button:

Since there isn't anything else to go off of, I'll check the source code of this page and see what the button is for:

I can see it is referencing a robots.txt file. I'll use wget to try and take that file and then see what is inside:

Looks like a wordlist! I'll save that for later and start enumerating the website URL for any hidden directories and files. You can use dirb or gobuster for this: `dirb http://` `gobuster dir -u http:// -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50` I was able to locate a WordPress directory from my enumeration, I'll check that out next:

Navigating the site to the Banking page, I see flag 1 along with a possible username, Patrick. It is common to use public websites to gather information of a company, such as harvesting emails for future attacks. Since this website is not suppose to be public yet, there aren't any emails here but a note like this is even better.

Once my directory enumeration scan completed, I saw `/wp-login.php`

Using the possible username from earlier, Patrick, I am going to attempt to log in with a test password. All I am looking for currently is if Patrick is a valid username, and it is:

### STEP 2: Attack Using the wordlist I found in the robots.txt file and this username, I set up an attack with hydra: `hydra -l patrick -P robots.txt http-post-form '/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:ERROR' -vV -t 30`

I got a valid password! After logging in, I realize this user doesn't have many abilities, so I need to find a better user.. Why not try the addresser of the note to Patrick? First, I want to grab flag 2 in Patrick's bio. It isn't formatted like the other, so I'll have to edit it to match, easy.

Using hydra again, I ran my attack one more time, just changing the username to manager.

Hydra wasn't getting any valid passwords, so I changed `ERROR` to `incorrect` and it got a valid password! `hydra -l manager -P robots.txt http-post-form '/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:incorrect' -vV -t 30`

Now that I have administrative access, there are a couple things I could do. 1. Add a PHP reverse shell using Appearance > Theme Editor 2. Keep snooping for valuable information I decided to keep looking around first. Sometimes the simple option really pays off. Here's flag 3 along with a note:

I don't read ASCII, but I know a few websites that do, I'll decrypt it:

Another wordlist. The manager says he left a port open. I haven't touched port 22 from the nmap scan yet. I'll save this into a text file and see if I can use this list to get in using hydra again: `hydra -L word.list -P word.list 10.10.75.42 ssh -t 4`

I got a username and password! Time to log in `ssh cat@10.10.75.42 -p 22`

using the `ls` command I found a lot of files and directories inside of Cat's home folder, one being flag 4

After snooping around in this folder, I looked at the README file

I need to find a certain script. I don't see one in my current directory, so I'll move back one. I moved to Patrick's directory and found a hidden folder called .bank\_work by running `ls -a` inside `/patrick` and here was the script:

I tried running the script, since I could see it was an executable, but received *permission denied*.

After running `getent group | grep sudo` I see that cat is not part of the sudo group but `sudo -l` shows cat does have specific sudo privileges given to them by the system admin so that they can run root's script. I'll use sudo to run it:

I entered the suggested prompt but changed the game name and got an error, so I looked at the files and I only have 2 schedules to choose from. Good to know, 0312 and 0315. I attempted to read the script to find out how it works but got *"cat: script.sh: Permission denied".* After assessing the files I can read, I find the program is probably calling to the files and finding certain keywords based off of what I input.

After testing different inputs, I found the most important thing to enter is the game name. As long as the game name is true, the rest of the script attempts to run. After some fiddling around, I find an exploit in this script and since I have sudo privileges on the file, I may be able to use it to see information I normally wouldn't be allowed, like the /etc/shadow file. I input `x : /etc/shadow BlackJack` and found flag 5.

### STEP 3: Escalation Since I now have the password hashes, I can do 3 things 1. Attempt to crack them with John the Ripper tool 2. Keep looking for more clues 3. Exploit my sudo privilege I decided to try all 3 options, starting with adding the hash to a file and running John. While that ran I looked into the bank directory and found a note:

After solving the riddle, I see 137256 as the number of lines and John cracked the hash to also be the same thing. Now that I know I have the right password for root, I can switch users very easily, but I opted for the awk privilege escalation to get the last flag:

Flag 6 has been moved out of the `/` directory but it should be very easy for to find. You can read about awk privilege escalation [here](https://gtfobins.github.io/gtfobins/awk/). Thank you for playing and congratulations if you made it to the end. Hopefully you learned a thing or two. Feel free to reach out to me if you have any questions or feedback