Bashed writeup HTB

Bashed

An easy machine consisting of finding a hidden web shell on the server followed by exploiting a running process to get access to root.

Discovery

Apache web server

No obvious exploitable versions or vectors of attack, so let’s look for some hidden pages or directories of this website we might have access to. Using the tool gobuster :

dir is the mode, -u is the target url, -w is the wordlist we're using and -t is for the number of threads

/uploads, /php and /dev are of particular interest. Visiting them gives :

It looks like we don’t have access to the uploads directory. There is a php file inside of the php directory, but it’s useless. Visiting the dev directory proves to be more valuable :

Clicking on the php file to see its contents :

Hum. Ok. Why is there a web shell on the server accessible to anybody? A web shell is a shell that is accessed in the browser. We can execute commands on here like a normal shell. We can also read the first flag : 

Transferring the shell

I’ll try to transfer this shell over to a reverse shell since switching to another user won’t be possible on the web shell. My first thought is to execute a reverse shell payload on the web shell (as a command) and to set up a netcat listener, but that doesn’t work. Instead, I could probably upload a reverse shell script (php file) to the server. I know that the web root of the server is /var/www/html, so uploading anything there will be accessible by typing /revshellName.php (example: http://<IP>/yourRevshell.php). But we don’t have writing access on this directory :

We can’t upload anything here. If only there was a directory we could upload our file to……

Oh there is? How convenient. Remember the /uploads directory? It’s writable by everyone. Let’s upload our reverse shell here using the wget tool :  

Start a python server on your machine with for example : python -m SimpleHTTPServer 9001 (in the dir with the file)

Now, visiting http://<IP>/uploads/revshell.php will automatically trigger a reverse shell to the IP and the specific port we specified in the code :

I'm using pentestmonkey's reverse shell here and modifying the IP and port to match the listener I'll start locally

Shell as scriptmanager

Let’s see what commands we could possibly run as root or as other users (coming from Linpeas, I didn’t think we’d be able to execute commands as others users with the www-data user) :

We can run any commands we want as the scriptmanager user with no password needed. Let’s just spawn a shell with /bin/bash then : 

The -p is needed because /bin/bash drops its privilege when it runs

Privilege escalation

We do a little snooping around and find an unusual directory called scripts in the / directory. There are two files here. A python script and a text file :

Let’s check what the python script does : 

The script writes testing 123! in a file called test.txt. I’m gonna assume a process is running this script since it would otherwise be useless. Since the file created (test.txt) belongs to root, there’s a great chance the process is also running as root. We have writing access to the python file, so let’s test this theory :

It looks like we were right! We modified the python file to execute the command “touch testing.txt” and the file was created a few seconds later. There are a lot of ways to get root access from here (like a reverse shell, directly reading root flag, etc) but my favorite is to make /bin/bash (belonging to root) executable by every user :

Here are the processes running in the background (this is the output of the pspy64 script, it checks the processes running on the machine) :