TJnull OSCP Prep Series
HackTheBox: Bashed [OSCP Prep]

HackTheBox: Bashed [OSCP Prep]


  • OS: Linux 🐧
  • Difficulty: Easy 😇
  • Release: 09 Dec 2017 📅
  • IP: 10.10.10.68 💻
  • Box Creator: Arrexel 😎

Hello there guys. Welcome to my 7th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Bashed from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.68 -r 1-65535 -- -sV -sC -Pn
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

We found HTTP port 80 open.

Figure 1.0

What is phpbash?. Well to make our life easy there is a link to the phpbash git repo. According to it “phpbash is a standalone, semi-interactive web shell”. Doing a quick directory bust identifies there is a /dev directory. This directory is where phpbash is installed on this server.

Figure 1.1
Figure 1.2

Phpbash provides a semi-interactive shell. If you like you can execute a reverse shell payload and get an interactive shell.

Post Exploitation

Going ahead looking at the sudo entries. There is a user called “scriptmanager” and we can execute any command as scriptmanager via sudo without providing the password. So I executed /bin/bash to get a bash shell.

Figure 1.3

There is an unusual folder sitting at the root of the file system.

Figure 1.4

Figure 1.5: Contents of the scripts folder

Content in the test.py file. (File owned by scriptmanager)

Figure 1.6: Content in the test.py file

Content in the test.txt (File owned by root)

testing 123!

test.txt is created as a result of executing test.py. Looking at the ownership of test.txt, it’s owned by root. This means a process running with root privileges has executed test.py. Maybe some cronjob.

Let’s add a reverse shell payload to test.py and see if we get a shell back.

Figure 1.7: Add out reverse shell payload

Setup a listener and wait for a shell connection.

Figure 1.8

Got a shell running as root privileges.


I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments