HackTheBox: Bashed [OSCP Prep]
- OS: Linux 🐧
- Difficulty: Easy 😇
- Release: 09 Dec 2017 📅
- IP: 10.10.10.68 💻
- Box Creator: Arrexel 😎
Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:
$ rustscan -a 10.10.10.68 -r 1-65535 -- -sV -sC -Pn PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870 | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 23:42 Completed NSE at 23:42, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 23:42 Completed NSE at 23:42, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 23:42 Completed NSE at 23:42, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds
We found HTTP port 80 open.
What is phpbash?. Well to make our life easy there is a link to the phpbash git repo. According to it “phpbash is a standalone, semi-interactive web shell”. Doing a quick directory bust identifies there is a /dev directory. This directory is where phpbash is installed on this server.
Phpbash provides a semi-interactive shell. If you like you can execute a reverse shell payload and get an interactive shell.
Going ahead looking at the sudo entries. There is a user called “scriptmanager” and we can execute any command as scriptmanager via sudo without providing the password. So I executed /bin/bash to get a bash shell.
There is an unusual folder sitting at the root of the file system.
Content in the test.py file. (File owned by scriptmanager)
Content in the test.txt (File owned by root)
test.txt is created as a result of executing test.py. Looking at the ownership of test.txt, it’s owned by root. This means a process running with root privileges has executed test.py. Maybe some cronjob.
Let’s add a reverse shell payload to test.py and see if we get a shell back.
Setup a listener and wait for a shell connection.
Got a shell running as root privileges.
I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.
If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.