Next after Netmon is Bashed; I don’t know anything about it. I do wonder if it’s shellshock though, just based on the name.
HTTP only. Makes it easy, no?
On the webpage we get some information about something called phpbash, and there is a link to a Github repo where we can inspect the code. Essentially it takes POST requests and runs them as shell_exec. We need to find it on the website; a quick run with dirsearch turns up /dev and we can find what we’re after.
We can send it commands; I use Burp Repeater to get myself a reverse shell:
On the box
I check sudo -l and find I can do whatever I want as scriptmanager; so I become scriptmanager.
That’s all well and good, but I need to know what scriptmanager has access to. I search for files:
Right; what’s test.py?
Two interesting things to note here. One, we own the python script. Two, root owns the output and it was created very recently. I check /etc/crontab but there is nothing interesting. I wait a minute or two, and a new copy of test.txt is created. So it is running as a root cron. That’s our in:
We don’t have to wait long:
Pretty simple. Strictly speaking Traceback would be next but I’ve done that, so Nibbles it is.