HackTheBox - Bashed - 10.10.10.68 - Writeup
This machine is rated easy dificulty and requires knowledge of the linux
sudo and sudo -l commands. The initial phase only requires some simple enumeration of an apache webpage which turns out to be running a webshell.
nmap -sC -sV -oA nmap/bashed 10.10.10.68
We can see that the only open port on the machine is Apache httpd
There is an article on the page stating that some sort of php file called
phpbash was developed on the machine, we can try running
gobuster to enumerate possible directories
gobuster dir -u http://10.10.10.68 -w /usr/../.../..2.3-medium.txt
We see that we got a hit for a
\dev directory and seeing as the
phpbash was developed on the machine there is a good chance it is in that directory
Bingo! A webshell
To exploit this machine is would be nicer to have an actual shell so I created a simple python reverse shell and started a netcat listener aswell as a python http server to get the file to the remote machine.
nc -lvnp 9004
Now that we have a proper shell we can do some enumeration and also read the user flag
We can also see that there is a user
scriptmanager who we could escalate privelages to
sudo -l - will tell use what commands we can run as other users
As we can run every command -
scriptmanger with no password, we can just spawn a shell as them using the bash command
sudo -u scriptmanager /bin/bash - will get us a shell as scriptmanger
3. Privelage Escalation from scriptmanger to root
After some manual enumeration of the system there appears to be an unusual directory,
/scripts which contains
This python script seems to be run by some process, probably a cron job, we could try to exploit this by uploading a malicious python reverse shell to get a shell as root.
cp rev.py revroot.py
Notice how our
revroot.py file has a different port then out inital
rev.py shell, this is so it does not interfere with our existing reverse shell.
We will upload
revroot.py to the box using the same python http server
Now all we have to do is open a new netcat listener on port 1337 and wait
nc -lvnp 1337
If you enjoyed my writeup or found it useful consider checking out my github or my hackthebox profile.