Let[s] talk a little about this box. In this HTB machine we will see only one port is open and that will be the http one , we will fireup the dirbuster to find the different files and directories inside that website. We will came to know about the phpbash file from where we will be getting code execution. After getting the ever shell we will enumerate more and will be able to find the way to escalate the privileges and became root. This time I have made two video[s] the first one will be on getting our first reverse shell on the box and the second one will be on how we will be able to escalate the privileges. Hope you guys will enjoy it. In last but not the least I have uploaded some file[s] from which you will be able to learn about bash scripting, python and you will learn about the cronjob working.
TenTen BOX WALKTHROUGH
About this machine
- Machine Name: Bashed
- Machine Architecture : Linux
- Machine creator: Arrexel
- IP address: 10.10.10.68
- User owned: 6334
- User rooted: 4218
- Points: 20
- As always you must have the hackers mindset to approach different vulnerabilities,
- This time you need some little bit knowledge about bash and python.
- You must know how to use dirbuster or any other tool for finding different folders and file.
- You must know how to use NMAP for scanning port’s.
- If you know bash then it will be plus point.
- Different approaches
- Try Harder mind set
[Disclaimer : That’s all you need, Now let’s try to Pentest this machine.]
So, first we need to scan for the open ports. Let’s do it.
We will use nmap’s 3 option’s “i.e -sS , -sV and -sC”. You must be wondering what are these. Actually these are nothing they are just a scanning options. I really want you all to read the man page of nmap from there you can understand what are these options used for. Let me just point them out simply.
- -sS: For scanning TCP SYN. You need to the root privilege also to use option, I believe.
- -sV: For scan for open ports to determine there services and version informations.
- -sC: It is used for using the default nse nmap script. To know what are NSE script read this article. [Chapter 9. Nmap Scripting Engine] Just read about it and you will understand.
- -Pn: This option will treat all hosts as online, no matter what. This is a good practice to use it to bypass filtration something.
The scan is completed as you can see in the above screenshot. So as you all can see only the port 80 is open.
-Understanding Nmap output
So we have only two open port[s] now let’s try to understand the output.
Version: Apache httpd 2.4.18
Let[s] check what it is really looking like.
It seems like it[s] working perfectly. Anyways let[s] start enumerating the box.
Low Level Exploitation
The very first thing that I always used do is to check the source page and the robots.txt file.
So here it is ,
I don’t know if you are able to see it or not but there is nothing interesting here.
So, let[s] start our favorite dirbuster for finding the directory. If you don’t know what it is then let me tell you.
In target URL option you need to define the address of the website here in our case it is 10.10.10.48, in Number of threads I have increased it to 54 to speed up the process and under wordlist option you need to specify the directory list. I used the one that the dirbuster come[s] with medium one. Give the file extension according to your need, the php is just fine for me here. Let’s start our DirBuster.
So as you can see we got too many folder[s] and some php files. So, I have just export the result in text file. Here it is:
DirBuster 1.0-RC1 – Report
Report produced on Mon Apr 30 02:48:56 EDT 2018
Directories found during testing:
Dirs found with a 200 response:
Dirs found with a 403 response:
Files found during testing:
Files found with a 200 responce:
Let[s] check that php directory.
Their is one “sendMail.php” php file. Let[s] check /dev directory now.
Okay so here are also some directory. Let[s] try to open phpbash.php
Okay so it is looking like a terminal using bash. So, now we can execute the commands.
Amazing let[s] try to get the reverse shell on this box.
Now we finally got our first low fruit reverse shell on this machine.
SO, finally we got our low fruit privilege on this box.
So now we need to escalate the privileges to become “root”. In this box I will be going to show you three different methods of privilege escalation on this machine.
www-data@bashed:/home/arrexel$ cat /etc/issue Ubuntu 16.04.2 LTS \n \l
Okay so this is Ubuntu box running version Ubuntu 9.10, Great. Now let’s check what files have root privileges which we can probably read, write and execute by the command.
www-data@bashed:/home/arrexel$ find / -perm -222 -type d 2>/dev/null /var/www/html/uploads /var/tmp /var/lib/php/sessions /run/lock /tmp /tmp/.Test-unix /tmp/.font-unix /tmp/.XIM-unix /tmp/VMwareDnD /tmp/.ICE-unix /tmp/.X11-unix /dev/mqueue /dev/shm www-data@bashed:/home/arrexel$ find / -perm -4000 2>/dev/null /bin/mount /bin/fusermount /bin/su /bin/umount /bin/ping6 /bin/ntfs-3g /bin/ping /usr/bin/chsh /usr/bin/newgrp /usr/bin/sudo /usr/bin/chfn /usr/bin/passwd /usr/bin/gpasswd /usr/bin/vmware-user-suid-wrapper /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign
Nothing seems interesting here. So now let[s] try “sudo -l” to list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format.
So, we can sudo to scriptmanager user without any password. Let[s] do it.
Amazing now we are no longer www-data , Let[s] start our enumeration from the root directory now “ / “
If you are having Linux as your primary operating system then you will notice “/scripts” directory is something suspicious. Which do not come with Linux by default. SO, lets check what are the files and directories inside that folder.
We are having two files : test.py and test.txt . Let[s] check what is written in test.py
Okay so it is a simple python script which is opening the file test.txt in writing mode and writing “testing 123!” inside that test.txt file. After writing it is closing that file. If you will see the above screenshot again you will see test.txt was created 00:42 minute ago. Means maybe cron job is running every minute.
Here is the proof that it is running every minute. Now we know that whatever is inside test.py it will be executed as root. So, now we can re-write the test.py and enter our python reverse shell.
Amazing we finally escalated the privileges
We have pwned the machine. Hope you liked it. Please let me know if I have done any mistake..