BASHED

Bashed is retired HTB machine, we will gain access to this machine and upgrade our privileges. We know just 10.129.137.186 ip address.

Lets start with go to 10.129.137.186 in web browser. As we see there is phpbash and we have a github link. This repo belongs to the php shell that we will find in the following steps. This is a clue given at the beginning.

Let’s do some enumeration starting with normal nmap scan.

nmap -sC -sV -Pn 10.129.8.2

Now, instead of fuzzing here, let’s try to do this with nmap script.

nmap --script=http-enum -p 80 10.129.8.203

As we see we were able to extract some directories with http-enum script.

But i’m running dirsearch to verify Nmap results and I want to extract some more directories.

dirsearch -u 10.129.8.203 -w /usr/share/wordlists/dirbuster/direstory-list-2.3-medium.txt -e php,html, txt

We browse the directories one by one and we see that there is something in the dev directory. Php files which have simple shell.

When we browsing the directories we see user flag in the /home/arrexel directory.

Since the shell on the browser is useless, I decided to proceed from my Kali terminal by doing a reverse shell. I am listening port 55555 with netcat, after that running reverse shell and we transferred this shell to our kali machine.

Instead of working through the browser, we can also send the code that provides reverse shell with curl, the goal is the same, I just tried to do it in curl, this is another way of getting usefull shell. But we should know body of post request which sent by browser, so that I open burp proxy and intercept the below request, this is belong to above reverse shell code sent within the browser. We got post body, it starts with cmd parameter and i adopt it to curl.

Now we will upgrade our shell. With sudo -l command we see that we can run scriptmanager without password.

Lets do some more enumeration. ls -la command show us “scripts” directory owned by scriptmanager user.

We change user to scriptmanager and lets go to scripts directory and see what happening here.

In the scripts directory we have read write execute privileges. Here we see a simple Python code that produces a test.txt file, and when we look at the last access to this file, it is very recent. There is a cron job set by root.

We will change test.py, add a reverse shell into it, and open netcat. After that we should wait 1–2 minute. Since test.py is a cron job run by root, when it is called by root, shell will be dropped in the netcat listener with root privilege, that’s all.

And this is summary, we already a shell in the browser, we transferred this shell to our kali machine to work more comfortably, We see by making enumeration which run a python program calling by cron job owned by root but run. We added a reverse shell and opened a netcat and wait, after 1–2 minute we got root authority.