First of all, I'd like to apologize for my hiatus. Some of you have asked for more write-ups but life got in the way. With that said, let's start!

Task 1: Which of the following options better represents the process where you simulate a hacker's actions to find vulnerabilities in a system?

This one is simple!

Offensive Security

Task 2: What is your bank account number in the FakeBank web application?

Hit the Start Machine button and wait for the split view.

None
Start machine button.

Once that's done, you can check your account number in the top left section, under Accounts.

8881

Task 3: Dirb should have found 2 hidden URLs. One of them is http://fakebank.thm/images. What is the other one?

DIRB is a web content scanner used in penetration testing. It works by brute-forcing URLs against a web server using a wordlist, looking for hidden files, directories, and resources that aren't publicly linked or visible.

In simple terms: you point it at a target URL, it tries a huge list of common directory and file names, and reports back anything that actually exists based on the HTTP response codes.

It's commonly used in CTFs to discover hidden paths like /admin, /uploads, /backup, etc. that could lead to further exploitation.

In this case, the wordlist (common.txt) has already been provided, so all we need to do is run DIRB.

The following URLs were found:

None
dirb results.

The /images URL is full of assets used by the web page itself. They could potentially hide useful information, but that seems to be out of scope for this CTF — and frankly, my knowledge base as well.

Let's try our luck with the other URL, which looks a lot more promising:

http://fakebank.thm/bank-deposit

Task 4: If your balance is now positive, a pop-up should appear with some green words in it. Input the green words as the answer to this question.

Paste that URL into your favourite browser and you'll be presented with the Admin Portal, which has the permissions — by definition — to alter account values.

If you remember our account number from the previous task (8881), just add funds to that specific account and you're done! You'll be presented with the flag:

BANK-HACKED

Stay curious and keep hacking! I know I will!