HTB – Bashed – Walkthrough

Another box from the the legendary OSCP-like box list from TJNull. In this box, Bashed, we get a look at some good old fashioned php. Bashed is very straightforward but it taught a few things that I honestly was scratching my head over for a few minutes until I figured out my mistake. There is not much to lose track of, a single port is open, no rabbit holes, but rather, can you manipulate what is in front of you.

In a nutshell, we find a webserver on port 80, run a gobuster scan and find a /dev directory. From there we’re able to load the php and grab the user flag. Next we’ll need a legitmate shell rather than a web shell so we upload a backdoor to the /uploads directory and execute it. The rest is fairly simple, some privesc and root.

As for the OSCP what did this box teach me:

  1. Use goBuster, enumerate!
  2. Using the which command to find out if wget, curl, nc, bash and python are on the box
  3. How to use sudo
  4. How to properly configure a privesc shell

Lets go:

Walkthrough for Bashed

The IP for Bashed is 10.10.10.68

First step as always is a nmap scan of the target host:

(forgive the double -sC 🙂 )

After our initial results came back we also ran scans on allports and UDP. Nothing to report.

Our initial scan returns just one port:

80/tcp open http

Bashed

First step for me is to visit port 80 and see if there are any clues or indications of what are next steps are.

Not much going on here, so I decide to run a goBuster scan on the webserver and see if anything catches my eye

The Gobuster scan returns some interesting directories:

  1. uploads
  2. dev

When I visited the uploads the directory, I was met with a blank page which was my first clue that maybe I can put something in here and run it

Second I visited dev:

Clicking phpbash.php led me to a webshell:

Before I even thought about getting my own shell, I wanted to see what I could grab from this.

With the user flag secured, now I can get to work on getting a proper shell.

As I mentioned earlier there wasn’t effort in getting the shell up and running. I knew I could place files in the upload directory so it was a matter of how do I get files on to this box. I used a simple HTTP server from python which allows me to quickly host files on webserver.

The syntax (for Python3) is:

python3 -m http.server [port number]

So what I did was, I googled really solid backdoor php shell:

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

This one to be exact. I edited the port and ip as per the instructions and saved it as shell.php in my /htb/bashed folder. This is also where I spun up my http server.

You can see that I checked the box to see if curl or wget was available, if they weren’t I’d have to get crafty nut luckily wget was good to go. Once the file was uploaded, I spun up a nc -lvnp 443 on my terminal and went to http://10.10.10.68/shell.php . I got a callback and we were in business.

Next step, make this a more interactive shell:

python -c 'import pty;pty.spawn("/bin/sh")'

Now that I had the user flag, a shell up as a low privileged user, I had to think about my next steps. I didn’t want to use LinEnum because I really wanted to work through this one on my own. So first, I wanted to check what commands I can run as sudo.

Since I know I can run as scriptmanager without a password I decided to switch right away

So what happened here? Well sudo -l told me I can use sudo to run all commands as scriptmanager. So I used sudo -i which according to the manual for sudo allows me to login and the -u allows me to specify the user.

Unfortunately we are not out of the woods yet. Luckily for us scriptmanager had access to a scripts folder that led us to another clue. Inside the scripts folder were two files, one test.py and one test.txt; test.py was owned by us and test.txt was owned by root.

After further investigation it was realized that the python script is being run every minute as part of a cronjob. So if I could rewrite the contents of test.py to give me a root shell then it would execute. I tried using vi to edit test.py on the fly but ran into so much trouble. I decided to actually remove test.py and upload my own malicious version.

When this script executed, I had a callback on another nc session but I was still scriptmanager and not root. This may seem obvious why but at the time it led me to scratching my head. This was a valuable lesson learned. I was using the wrong shell code. So I rewrote test.py

See the difference now

All we had to do now was wait for the cronjob, if you’re impatient you could execute the script yourself.

And that’s it. Very straightforward that reinforced some fundamentals of pentesting. I had fun knocking this one out but I think I will do a more difficult one next time round.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s