[Write-up]: Bashed Machine On Hackthebox

bashed

Hi everybody, here we go again :)
Firstly, I’d like to say that I have started to create a github repo for OSCP exam preparation that contains useful resources and should be followed step by step during preparation. Also, feel free in order to add any resources in this repo.

For OSCP preparation, There are 29 linux machines in HackTheBox VM - like OSCP which are defined by JKNull. You can found here. Today, I will tell about Bashed (Difficulty: Easy) machine walk-through.

As per usual, We start with nmap scanning to establish opening ports.

Nmap Scanning

1
nmap -sV -sC -T4 <your-machine-ip>

From nmap result, There are 2 ports open that are 80, 2035.

Nmap Result

When we visit web site on port 80, following page welcome us. When we read information in this site and visit github repo, the website allows you get shell via phpbash.php on web site. However, phpbash.php file doesn’t exist in http://<machine-ip>/uploads. For more enumration, We can use gobuster for directory scanning.

site

Gobuster Directory Scanning

1
gobuster dir -u <url> -w <word_list>

gobuster

From gobuster result, http://<machine-ip>/dev directory includes phpbash.php and phpbash.min.php.

dev_dir

If we visit http://<machine-ip>/dev/phpbash.php url, we already have a low privileged shell. However, We should place your own shell in the system for a real penetration test.

low_bash

Getting Reverse Shell

For getting reverse shell, We can download PentestMonkey php file and set our ip address and port number to $ip and $port variables then upload php file to tmp directory with wget command.

If We run following command, we can obtain shell in our machine.

1
php reverse_shell.php

Note that we can escape following interactive shell with

1
python -c 'import pty; pty.spawn("/bin/bash")'

reverse

User Flag

Let’s find user flag. When we go to home directory, we can see that there are two users directory in home. User.txt file is in the arrexel directory.

userflag

Privilege Escalation - Root Flag

First thing first, I examined sudo -l command results. As you can see, we can log in as scriptmanager user without passwords.

sudo_l

Following command allows us to switch to scriptmanager user account.

1
sudo -u scriptmanager /bin/bash

After doing more enumeration, I found scripts directory in root. All directory owners are root except for scripts directory which is owned by scriptmanager.

roo_dic

Scripts directory includes test.py and test.txt files. One thing takes our attention that test.txt is running as root!

scrmng

Test.py files includes following code that creates test.txt file and writes to the file test.txt

1
2
3
f = open("test.txt", "w")
f.write("testing 123!")
f.close

In fact, the script file is being executed every minute by root via a cron job. The good point is that If we add reverse shell code to test.py file, we can get shell when test.py is executed. In our linux machine, we create test.py file and paste following python code.

Note that LPORT and LHOST parameters must be modified. As you know, we upload test.py file same way with reverse_shell.php file. After uploading script, we wait for a minute for executing test.py by root. Go to root directory and get the root flag.

root

See you for next blog post!