Hi everybody, here we go again :)
Firstly, I’d like to say that I have started to create a github repo for OSCP exam preparation that contains useful resources and should be followed step by step during preparation. Also, feel free in order to add any resources in this repo.
For OSCP preparation, There are 29 linux machines in HackTheBox VM - like OSCP which are defined by JKNull. You can found here. Today, I will tell about Bashed (Difficulty: Easy) machine walk-through.
As per usual, We start with nmap scanning to establish opening ports.
nmap -sV -sC -T4 <your-machine-ip>
From nmap result, There are 2 ports open that are 80, 2035.
When we visit web site on port 80, following page welcome us. When we read information in this site and visit github repo, the website allows you get shell via phpbash.php on web site. However, phpbash.php file doesn’t exist in
http://<machine-ip>/uploads. For more enumration, We can use gobuster for directory scanning.
gobuster dir -u <url> -w <word_list>
From gobuster result,
http://<machine-ip>/dev directory includes phpbash.php and phpbash.min.php.
If we visit
http://<machine-ip>/dev/phpbash.php url, we already have a low privileged shell. However, We should place your own shell in the system for a real penetration test.
For getting reverse shell, We can download PentestMonkey php file and set our ip address and port number to $ip and $port variables then upload php file to tmp directory with wget command.
If We run following command, we can obtain shell in our machine.
Note that we can escape following interactive shell with
python -c 'import pty; pty.spawn("/bin/bash")'
Let’s find user flag. When we go to home directory, we can see that there are two users directory in home. User.txt file is in the arrexel directory.
First thing first, I examined
sudo -l command results. As you can see, we can log in as scriptmanager user without passwords.
Following command allows us to switch to scriptmanager user account.
sudo -u scriptmanager /bin/bash
After doing more enumeration, I found scripts directory in root. All directory owners are root except for scripts directory which is owned by scriptmanager.
Scripts directory includes test.py and test.txt files. One thing takes our attention that test.txt is running as root!
Test.py files includes following code that creates test.txt file and writes to the file test.txt
f = open("test.txt", "w")
In fact, the script file is being executed every minute by root via a cron job. The good point is that If we add reverse shell code to test.py file, we can get shell when test.py is executed. In our linux machine, we create test.py file and paste following python code.
Note that LPORT and LHOST parameters must be modified. As you know, we upload test.py file same way with reverse_shell.php file. After uploading script, we wait for a minute for executing test.py by root. Go to root directory and get the root flag.
See you for next blog post!