Next after Netmon is Bashed; I don’t know anything about it. I do wonder if it’s shellshock though, just based on the name.
Ports
HTTP only. Makes it easy, no?
HTTP
On the webpage we get some information about something called phpbash, and there is a link to a Github repo where we can inspect the code. Essentially it takes POST requests and runs them as shell_exec. We need to find it on the website; a quick run with dirsearch turns up /dev and we can find what we’re after.
http://10.10.10.68/dev/phpbash.php
We can send it commands; I use Burp Repeater to get myself a reverse shell:
On the box
I check sudo -l and find I can do whatever I want as scriptmanager; so I become scriptmanager.
That’s all well and good, but I need to know what scriptmanager has access to. I search for files:
Right; what’s test.py?
Two interesting things to note here. One, we own the python script. Two, root owns the output and it was created very recently. I check /etc/crontab but there is nothing interesting. I wait a minute or two, and a new copy of test.txt is created. So it is running as a root cron. That’s our in:
We don’t have to wait long:
Pretty simple. Strictly speaking Traceback would be next but I’ve done that, so Nibbles it is.