Bashed
Last updated
Last updated
🔗 Bashed
🎯 Target IP: 10.129.236.215
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
| command | result |
|---|---|
sS | SynScan |
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
T4 | run a bit faster |
oN | output to file with nmap formatting |
It looks like there's 1 open TCP port on the machine: 80
1
Now, we take more precise scan utilizing -sCV flags to retrieve versioning services and test common scripts.
Browsing webserver on port 80 via browser, that contains a web php bash.
Analyzing source code we don't found nothing of interesting, than we can discover more info about website using whatweb and do directory enumeration using gobuster.
Very good, we've found interisting web dir such as /dev and /uploads, exploring them we can answer at our question.
/dev
The /dev directory contains two php webshell, more probably phpbash.min.php is a minimal bash or beta version while phpbash.php is full version.
In both cases, we immediately observe that the user in use is the same.
www-data
Navigating into file system is more simple discover users home directories and arrexel user's flag.
Using sudo -l we can see that www-data can run all commands on bashed as a user scriptmanager.
scriptmanager
Going into root dir / we can launch ls -l and see all permissions regarding directories.
/scripts
"Every couple minutes" is an hint to understand possibile route.
But, we decide to give a reverse shell on our attacker machine to optimize our work, to do it we need to make us in listening mode using netcat nc -lvnp 1339 and execute a python script on web shell.
Remembering the question's hint and the last task, where only the scriptmanager can access the /scripts folder, we can access it as the scriptmanager user spawning a a bash shell
Trying to use sudo -l commands, the system asks us for a password that we don't know.
Now, we've permissions access to /scripts dir, where we found two files:
Additionally, the program test.py appears to be scheduled to execute almost every minute, based on the last access time of test.txt. From this, we can infer that there may be a cron job owned by root that automatically runs test.py every minute. We can confirm this by renaming test.txt (e.g., to test.txt.old) and observing that a new test.txt file is created after a minute or so."
This is useful because we can modify the contents of test.py to include reverse shell code, which would then execute with root privileges.
Next, let's create a new file named test.py on our Kali box and insert the same reverse shell code we used earlier. We'll then transfer this file to the target 'Bashed' machine.
test.py
Immediately before or at least within two minutes we listen with netcat on the attacker machine, and we obtain a shell with root permissions.
