Skip to main content

Posts

Showing posts with the label misconfiguration

HackTHeBox - Bank - Retired - Update

HackTHeBox - Bank - Retired - Update Recon I've been using threader3000  to run my recon scans lately. It does a super fast up/down scan on all TCP ports then suggests and NMAP scan based only on the ports that were up in the first scan. It also automatically saves the nmap results out to an XML file, that I then convert to HTML to make it pretty. xsltproc ./bank.htb/bank.htb.xml -o ./bank.html Looks like we have just three open ports… 22,53 and 80 Nmap thinks the box is ubuntu Port Product Version 22 OpenSSH 6.6.1p1 53 BIND 9.9.5-3 80 Apache           2.4.7 Let's start with port 80 and see what is might be serving us. A login form for HTB Bank is what we see when we browse to the server. Let's brute force the directories to see if we can find any other pages being served. I used dirbuster and the  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Wordlist. Eventually I saw this directory it found /balance-transfer/ When