Thursday, March 21, 2019
Bashed
BASHED
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Bashed, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Bashed's IP is 10.10.10.68:
- Scanning with Nmap the only open port is 80:
- Scanning deeper the port 80:
- Connecting with the browser:
- Dirbusting:
- Checking the folder /dev we find two PHP scripts:
- Clicking either phpbash.php or phpbash.min.php the result is a PHP bash:
- Looking for more content:
- Good news are that Netcat is available:
3 - EXPLOITATION
- Msfvenom helps creating an exploit called myshell.php:
- Uploading myshell.php from Kali to Bashed:
- Setting up a Meterpreter listener session:
- Running myshell.php from the browser:
- The exploitation is successful and we get a Meterpreter session:
- Spawning a shell and improving it:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Let's try two ways for achieving Privilege Escalation
5.1 - Exploiting the kernel
- Checking the Ubuntu release version:
- Kernel exploit for this operating system:
- Copying the exploit poc.c to Kali and compiling it according to the instructions:
- Transferring the binary pwn from Kali to Bashed:
- Giving execution permissions:
- Running pwn we eventually get a remote root shell:
5.2 - Sudoer privileges
- The current user is www-data:
- Sudoer privileges for www-data allows to run all commands as the scriptmanager user:
- Listing content inside folder /scriptmanager:
- Listing content of / there is a folder called scripts:
- User www-data cannot access directly the contents of folder scripts:
- However www-data can use his sudoer privileges to open scripts:
- Reading test.py and test.txt:
- At this point of the exploitation process the strategy will be to replace test.py with some exploitation code, for instance:
- Transferring myexploit.py to Bashed:
- Copying myexploit.py over test.py:
- Setting a Netcat listener session on Kali's port 5555:
- After some seconds a remote root shell is successfully achieved:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: